Signature names: [0] FINGER: FingerD Probe:1 [1] RTSP: Transport Header Buffer Overflow:1 [2] RTSP: Transport Header Buffer Overflow:2 [3] FTP: WU-FTPD File Glob Heap Corruption:3 [4] FTP: WU-FTPD File Glob Heap Corruption:1 [5] FTP: WU-FTPD File Glob Heap Corruption:2 [6] HTTP: Buffer Overflow Attempt Detected in Header:1 [7] HTTP: Buffer Overflow Attempt Detected in Header:2 [8] HTTP: Buffer Overflow Attempt Detected in Header:3 [9] HTTP: Buffer Overflow Attempt Detected in Header:4 [10] HTTP: Buffer Overflow Attempt Detected in Header:5 [11] HTTP: Buffer Overflow Attempt Detected in Header:6 [12] HTTP: WebDAV PROPFIND List Directory:1 [13] HTTP: WebDAV PROPFIND List Directory:2 [14] TELNET: BSD Telnetd Telrcv() Exploit:1 [15] TELNET: BSD Telnetd Telrcv() Exploit:2 [16] TELNET: BSD Telnetd Telrcv() Exploit:3 [17] HTTP: EZShopper Command Execution:1 [18] HTTP: EZShopper Command Execution:2 [19] HTTP: W32/Mydoom@MM DoS:1 [20] BACKDOOR: Intruzzo:1 [21] BACKDOOR: NetBus Trojan:3 [22] BACKDOOR: NetBus Trojan:1 [23] BACKDOOR: NetBus Trojan:2 [24] BACKDOOR: NetBus Trojan:4 [25] WORM: W32/Bagle.bj@MM Worm:1 [26] WORM: W32/Bagle.bj@MM Worm:2 [27] WORM: W32/Bagle.bj@MM Worm:3 [28] HTTP: Siteserver site.csc File Read:1 [29] HTTP: Siteserver site.csc File Read:2 [30] FTP: Ftpd CWD ...:1 [31] HTTP: IIS newdsn.exe File Creation:1 [32] HTTP: IIS newdsn.exe File Creation:2 [33] HTTP: IIS newdsn.exe File Creation:4 [34] REXEC: Login Failed:1 [35] SNMP: MS NT WINS Vulnerability:1 [36] TFTP: 3CDaemon Reserved Device Name DOS:1 [37] IMAP: Overly Long EXAMINE Command Parameter:1 [38] NETBIOS-SS: Lioten Worm:1 [39] HTTP: Weblogic Show Code:1 [40] HTTP: Weblogic Show Code:2 [41] NETBIOS-SS: Windows Directory Traversal:1 [42] BACKDOOR: Digital RootBeer:1 [43] KERBEROS: Microsoft Kerberos 5 ASN.1 Double Free Encoding Error:1 [44] FTP: WU-FTP 244 Buffer Overflow:1 [45] FTP: WU-FTP 244 Buffer Overflow:2 [46] FTP: WU-FTP 244 Buffer Overflow:3 [47] HTTP: info2www Execute Arbitary Command:1 [48] HTTP: info2www Execute Arbitary Command:2 [49] DDoS: TFN Agent Response:1 [50] WORM: W32/Netsky.j@MM Worm:1 [51] WORM: W32/Netsky.j@MM Worm:2 [52] WORM: W32/Netsky.j@MM Worm:3 [53] DHCP: ISC DHCP Server NSUPDATE MiniRes Library Buffer Overflow:1 [54] DHCP: ISC DHCP Server NSUPDATE MiniRes Library Buffer Overflow:2 [55] DHCP: ISC DHCP Server NSUPDATE MiniRes Library Buffer Overflow:3 [56] IMAP: EXAMINE Buffer Overflow with Shellcode:1 [57] FTP: Overly Long PASS Parameters Buffer Overflow:1 [58] SHELLCODE: Shellcode Detectedfor HP PA-RISC Family CPUs:1 [59] SHELLCODE: Shellcode Detectedfor HP PA-RISC Family CPUs:2 [60] SHELLCODE: Shellcode Detectedfor HP PA-RISC Family CPUs:3 [61] BACKDOOR: Fore:1 [62] BACKDOOR: Fore:2 [63] MMS: Overly Large Packet Length:1 [64] HTTP: View Source Input Validation:1 [65] HTTP: View Source Input Validation:2 [66] RSH: Root Account Attempt:1 [67] POP3: Buffer Overflow Attempt With RETR Parameters:1 [68] WORM: W32/Bagle.aq@MM Worm:1 [69] WORM: W32/Bagle.aq@MM Worm:2 [70] WORM: W32/Bagle.aq@MM Worm:3 [71] IMAP: Buffer Overflow with Overly Long STATUS Command Parameters:1 [72] SSH: Cisco Catalyst SSH Mismatch Crash:1 [73] NETBIOS-SS: Microsoft License Logging Service Overflow Vulnerability:1 [74] NETBIOS-SS: Microsoft License Logging Service Overflow Vulnerability:2 [75] SSL: Session Allocation Error:1 [76] SSL: Session Allocation Error:2 [77] HTTP: Dragon Fire IDS Web Interface Remote Execution:1 [78] HTTP: Dragon Fire IDS Web Interface Remote Execution:2 [79] HTTP: Dragon Fire IDS Web Interface Remote Execution:3 [80] SMTP: Long MAIL Params With Shellcode Exploit:1 [81] HTTP: CCBill WhereAmI.CGI Remote Arbitrary Command Execution:1 [82] HTTP: CCBill WhereAmI.CGI Remote Arbitrary Command Execution:2 [83] P2P: BitTorrent File Transfer HandShaking:1 [84] P2P: BitTorrent File Transfer HandShaking:3 [85] P2P: BitTorrent File Transfer HandShaking:4 [86] P2P: BitTorrent File Transfer HandShaking:5 [87] FTP: Ftpd ADMhack Scan:1 [88] HTTP: Webtrends Probe:1 [89] POP3: SCO Popd Buffer Overflow:1 [90] WORM: W32/Bagle.j@MM Worm:1 [91] WORM: W32/Bagle.j@MM Worm:2 [92] WORM: W32/Bagle.j@MM Worm:3 [93] WORM: W32/Bagle.j@MM Worm:4 [94] WORM: W32/Bagle.j@MM Worm:5 [95] WORM: W32/Bagle.j@MM Worm:6 [96] TELNET: TTYPROMPT Remote Change:1 [97] TELNET: TTYPROMPT Remote Change:2 [98] TFTP: Get Sensitive File:1 [99] TFTP: Get Sensitive File:2 [100] TFTP: Get Sensitive File:3 [101] TFTP: Get Sensitive File:4 [102] RPC: STATD UNMONALL Generic Length Buffer Overflow:1 [103] MSSQL: Microsoft SQL Server TDS Packet Fragment Handling DoS:1 [104] HTTP: IIS Index Sever idq Read File:1 [105] HTTP: IIS Index Sever idq Read File:2 [106] HTTP: Anyform Execute Arbitrary Command:1 [107] HTTP: Anyform Execute Arbitrary Command:2 [108] HTTP: Anyform Execute Arbitrary Command:3 [109] ISS: ISS PAM_ICQ Module Buffer Overflow:1 [110] ISS: ISS PAM_ICQ Module Buffer Overflow:2 [111] XTACACS: CiscoSecure ACS Vulnerability:1 [112] WORM: W32/Bagle.aa@MM Worm:1 [113] WORM: W32/Bagle.aa@MM Worm:2 [114] WORM: W32/Bagle.aa@MM Worm:3 [115] WORM: W32/Bagle.aa@MM Worm:4 [116] WORM: W32/Bagle.aa@MM Worm:5 [117] WORM: W32/Bagle.aa@MM Worm:6 [118] WORM: W32/Bagle.aa@MM Worm:7 [119] WORM: W32/Bagle.aa@MM Worm:8 [120] WORM: W32/Bagle.aa@MM Worm:9 [121] TELNET: SGI Default Telnet Account Attempt:1 [122] HTTP: Samba 3.x SWAT Preauthentication Buffer Overflow:1 [123] HTTP: Samba 3.x SWAT Preauthentication Buffer Overflow:2 [124] IMAP: AUTH Buffer Overflow Exploit:1 [125] SENSOR: PREVDATA-NODES Exhausted:1 [126] SMTP: MercurMail DoS:1 [127] NETBIOS-NS: Symantec Multiple Firewall NBNS Response Processing Stack Overflow:1 [128] NETBIOS-NS: Symantec Multiple Firewall NBNS Response Processing Stack Overflow:2 [129] HTTP: KW Whois Remote Command Execution:1 [130] HTTP: KW Whois Remote Command Execution:2 [131] IM: AOL Instant Messenger Arbitrary File Creation Vulnerability:1 [132] DCERPC: Microsoft RPCSS Heap Overflow II:1 [133] DCERPC: Microsoft RPCSS Heap Overflow II:2 [134] DCERPC: Microsoft RPCSS Heap Overflow II:3 [135] DCERPC: Microsoft RPCSS Heap Overflow II:4 [136] FTP: Stor .forward:1 [137] SIP: Header Buffer Overflow in SIP Server:1 [138] SIP: Header Buffer Overflow in SIP Server:2 [139] SIP: Header Buffer Overflow in SIP Server:3 [140] NETBIOS-SS: Microsoft Negotiate SSP Vulnerability:1 [141] RPC: ypbind Generic Exploit:1 [142] P2P: Swapper Alive:1 [143] P2P: Swapper Alive:2 [144] DDoS: Stacheldraht Agent Spoof Test:1 [145] HTTP: IIS ism.dll/SSI Buffer Overflow:1 [146] HTTP: IIS ism.dll/SSI Buffer Overflow:2 [147] HTTP: IIS ism.dll/SSI Buffer Overflow:3 [148] HTTP: IIS ism.dll/SSI Buffer Overflow:4 [149] HTTP: IIS ism.dll/SSI Buffer Overflow:5 [150] HTTP: Phorum Sent Mail:1 [151] HTTP: Phorum Sent Mail:2 [152] WORM: W32/Bagle.b@MM Worm:1 [153] WORM: W32/Bagle.b@MM Worm:2 [154] WORM: W32/Bagle.b@MM Worm:3 [155] HTTP: IIS Index Server Overflow:1 [156] BACKDOOR: Web Serve CT Backdoor:1 [157] BACKDOOR: Web Serve CT Backdoor:2 [158] BACKDOOR: Web Serve CT Backdoor:3 [159] BACKDOOR: Web Serve CT Backdoor:4 [160] BACKDOOR: Web Serve CT Backdoor:5 [161] IM: Yahoo Messenger File Transfer:1 [162] IM: Yahoo Messenger File Transfer:3 [163] IM: Yahoo Messenger File Transfer:4 [164] IM: MSN Messenger Server Lookup:1 [165] IM: MSN Messenger Server Lookup:2 [166] RTSP: Header Buffer Overflow:1 [167] RTSP: Header Buffer Overflow:2 [168] MSSQL: Resolution Service Data Too Long:1 [169] HTTP: Allaire JRun SSIFilter File Read:1 [170] HTTP: Allaire JRun SSIFilter File Read:2 [171] TELNET: Resolve Host Conf:1 [172] FTP: Overly Long UNLOCK Command Parameters:1 [173] FTP: Overly Long UNLOCK Command Parameters:2 [174] HTTP: Header Buffer Overflow Attempt:1 [175] HTTP: Header Buffer Overflow Attempt:2 [176] SMTP: Pipe Attack:1 [177] SMTP: Pipe Attack:2 [178] HTTP: Microsoft Media Service NSIISLOG.DLL Exploit:1 [179] HTTP: Microsoft Media Service NSIISLOG.DLL Exploit:2 [180] HTTP: Microsoft Media Service NSIISLOG.DLL Exploit:3 [181] RPC: snmpXdmid Solaris LSD Buffer Overflow:1 [182] RPC: snmpXdmid Solaris LSD Buffer Overflow:2 [183] RPC: snmpXdmid Solaris LSD Buffer Overflow:3 [184] BACKDOOR: Vampire:1 [185] UPnP: NOTIFY Buffer Overflow:1 [186] KERBEROS: Microsoft Kerberos 5 ASN.1 BitStr Encoding Error:1 [187] BACKDOOR: Blazer5 (Sockets De Troie v1):1 [188] BACKDOOR: Blazer5 (Sockets De Troie v1):2 [189] BACKDOOR: Blazer5 (Sockets De Troie v1):3 [190] RPC: Portmapper CALLIT Proxy Attempt:1 [191] P2P: Gnutella File Transferring:2 [192] P2P: Gnutella File Transferring:3 [193] MSSQL: SQL Server Resolution Stack Overflow:1 [194] MSSQL: SQL Server Resolution Stack Overflow:2 [195] FTP: Glob Exploit Denial of Service:1 [196] FTP: Glob Exploit Denial of Service:2 [197] FTP: Glob Exploit Denial of Service:3 [198] FTP: Glob Exploit Denial of Service:4 [199] HTTP: PHP Upload File Buffer Overflow:1 [200] HTTP: PHP Upload File Buffer Overflow:2 [201] REXEC: Account Login Attempt:1 [202] SNMP: OVActionD SNMP Trap Command Execution Vulnerability:1 [203] SNMP: OVActionD SNMP Trap Command Execution Vulnerability:2 [204] SNMP: OVActionD SNMP Trap Command Execution Vulnerability:3 [205] IRC: Trillian PRIVMSG Buffer Overflow:1 [206] MSRPC: Windows Registry Remote Write Attempt:1 [207] HTTP: BadBlue Null Byte File Disclosure:1 [208] HTTP: BadBlue Null Byte File Disclosure:2 [209] HTTP: Cisco Catalyst Remote Arbitrary Command Execution:1 [210] HTTP: Cisco Catalyst Remote Arbitrary Command Execution:2 [211] FTP: WFTPD Buffer Overflow:1 [212] FTP: WFTPD Buffer Overflow:2 [213] FTP: WFTPD Buffer Overflow:3 [214] DDoS: mstream Agent-to-Handler Communication:1 [215] IMAP: Buffer Overflow With Overly Long DELETE Command Parameters:2 [216] FTP: Ipswitch WS_FTP Server ALLO Error Buffer Overflow:1 [217] DCERPC: Microsoft Windows LSASS Buffer Overflow:1 [218] DCERPC: Microsoft Windows LSASS Buffer Overflow:2 [219] DCERPC: Microsoft Windows LSASS Buffer Overflow:3 [220] RPC: MOUNTD Lucysoft Buffer Overflow:1 [221] RPC: MOUNTD Lucysoft Buffer Overflow:2 [222] RPC: MOUNTD Lucysoft Buffer Overflow:3 [223] NMAP: XMAS with SYN Probe:1 [224] HTTP: Cisco HTTP Admin Authentication:1 [225] HTTP: Cisco HTTP Admin Authentication:2 [226] WORM: W32/Netsky.ag@MM Worm:1 [227] WORM: W32/Netsky.ag@MM Worm:2 [228] WORM: W32/Netsky.ag@MM Worm:3 [229] WORM: W32/Netsky.ag@MM Worm:4 [230] WORM: W32/Netsky.ag@MM Worm:5 [231] WORM: W32/Netsky.ag@MM Worm:6 [232] IMAP: Buffer Overflow With Overly Long FETCH Command Parameters:1 [233] HTTP: php.cgi Buffer Overflow:1 [234] HTTP: php.cgi Buffer Overflow:2 [235] SSL: Unsupported Diffie-Hellman Cipher Suite:1 [236] DTSPCD: CDE dtspcd Remote Buffer Overflow:2 [237] DTSPCD: CDE dtspcd Remote Buffer Overflow:3 [238] HTTP: WebCart webcart.cgi Command Execution:1 [239] HTTP: WebCart webcart.cgi Command Execution:2 [240] BACKDOOR: Swift:1 [241] BACKDOOR: Swift:2 [242] FTP: Ftpd Passwd Retrieval Attempt:1 [243] TCP: Illegal FIN Probe:1 [244] POP3: Qpop24 Buffer Overflow:1 [245] WORM: W32/Bagle.n@MM Worm:1 [246] WORM: W32/Bagle.n@MM Worm:2 [247] WORM: W32/Bagle.n@MM Worm:3 [248] WORM: W32/Bagle.n@MM Worm:4 [249] WORM: W32/Bagle.n@MM Worm:5 [250] WORM: W32/Bagle.n@MM Worm:6 [251] SMTP: Possible SSH Worm:1 [252] ICMP: Source Quench Option Set:1 [253] ICMP: Timestamp Probe:1 [254] BACKDOOR: ButtMan:1 [255] BACKDOOR: ButtMan:2 [256] RPC: AMD/AMQ Generic Length Buffer Overflow:1 [257] DMWARE: DMWare Remote Control Stack Buffer Overflow:1 [258] IGMP: Koc Attack:1 [259] HTTP: classified.cgi Input Validation:1 [260] HTTP: classified.cgi Input Validation:2 [261] HTTP: classified.cgi Input Validation:3 [262] POP3: AnalogX Denial of Service:1 [263] POP3: AnalogX Denial of Service:2 [264] POP3: AnalogX Denial of Service:3 [265] TELNET: Invalid Telnet Flow:1 [266] WORM: W32/Dabber Worm:1 [267] IMAP: SIMS LOGIN Buffer Overflow:1 [268] LPR: Format String Attack:1 [269] LPR: Format String Attack:2 [270] LPR: Format String Attack:3 [271] SMTP: SmartServer3 MAIL FROM Buffer Overflow:2 [272] SMTP: SmartServer3 MAIL FROM Buffer Overflow:1 [273] SMTP: SmartServer3 MAIL FROM Buffer Overflow:3 [274] HTTP: IIS ISM.DLL access:1 [275] HTTP: IIS ISM.DLL access:2 [276] IM: AOL Instant Messenger %s DoS Vulnerability:1 [277] DCERPC: Microsoft Message Queue Service Heap Overflow:1 [278] BACKDOOR: Connection/Host Control:1 [279] BACKDOOR: Connection/Host Control:2 [280] FTP: AIX Overflow:1 [281] FTP: AIX Overflow:2 [282] FTP: AIX Overflow:3 [283] FTP: AIX Overflow:4 [284] BACKDOOR: Cyn:1 [285] BACKDOOR: Cyn:2 [286] SMB: Samba Multiple Slash Arbitrary File Access:1 [287] SMB: Samba Multiple Slash Arbitrary File Access:2 [288] SYBASE: DROP DATABASE Command Used:1 [289] SYBASE: DROP DATABASE Command Used:2 [290] ARP: MAC Address Cloned:1 [291] BACKDOOR: Kuang2:1 [292] RPC: AUTOFS Remote Command Execution:1 [293] MSSQL: BULK INSERT Possible Buffer Overflow:1 [294] MSSQL: BULK INSERT Possible Buffer Overflow:2 [295] DDoS: Stacheldraht Master-Spoofworks:1 [296] HTTP: Microsoft Frontpage fp30reg.dll Buffer Overflow:1 [297] HTTP: Microsoft Frontpage fp30reg.dll Buffer Overflow:2 [298] HTTP: Microsoft Frontpage fp30reg.dll Buffer Overflow:4 [299] HTTP: w3-msql Execute Command:1 [300] HTTP: w3-msql Execute Command:2 [301] HTTP: w3-msql Execute Command:3 [302] WORM: W32/Netsky.c@MM Worm:1 [303] WORM: W32/Netsky.c@MM Worm:2 [304] WORM: W32/Netsky.c@MM Worm:3 [305] WORM: W32/Netsky.c@MM Worm:4 [306] WORM: W32/Netsky.c@MM Worm:5 [307] WORM: W32/Netsky.c@MM Worm:6 [308] BACKDOOR: WOW23:1 [309] SMB: Samba Trans2Open Buffer Overflow:1 [310] SMB: Samba Trans2Open Buffer Overflow:2 [311] MSSQL: sp_MScopyscript Command Execution:1 [312] MSSQL: sp_MScopyscript Command Execution:2 [313] HTTP: Axis StorPoint Auth Sidestep:1 [314] HTTP: Axis StorPoint Auth Sidestep:2 [315] TELNET: IAC Bomb:1 [316] TELNET: IAC Bomb:2 [317] BACKDOOR: Uploader:1 [318] BACKDOOR: Uploader:2 [319] DoS: ICMP-Based Jolt2 Attack:1 [320] SMTP: eXtremail Format String:1 [321] HTTP: IIS cmd.exe Execution:1 [322] HTTP: IIS cmd.exe Execution:2 [323] BACKDOOR: Xanadu:1 [324] BACKDOOR: Xanadu:2 [325] HTTP: Apache Tomcat DefaultServlet File Disclosure:1 [326] HTTP: Apache Tomcat DefaultServlet File Disclosure:2 [327] SMTP: MailMax Buffer Overflow:1 [328] HTTP: Auction Weaver Remote Command Execution:1 [329] HTTP: Auction Weaver Remote Command Execution:2 [330] KERBEROS: Microsoft Kerberos 5 ASN.1 Message Field Length Encoding Error:1 [331] KERBEROS: Microsoft Kerberos 5 ASN.1 Message Field Length Encoding Error:2 [332] KERBEROS: Microsoft Kerberos 5 ASN.1 Message Field Length Encoding Error:3 [333] KERBEROS: Microsoft Kerberos 5 ASN.1 Message Field Length Encoding Error:4 [334] KERBEROS: Microsoft Kerberos 5 ASN.1 Message Field Length Encoding Error:5 [335] KERBEROS: Microsoft Kerberos 5 ASN.1 Message Field Length Encoding Error:6 [336] P2P: BearShare Alive:1 [337] P2P: BearShare Alive:2 [338] BACKDOOR: Hvl RAT:1 [339] BACKDOOR: Hvl RAT:2 [340] RPC: Rwalld Format String Vulnerability:1 [341] HTTP: Apache Win32 .Bat Exploit:1 [342] HTTP: Apache Win32 .Bat Exploit:2 [343] HTTP: Apache Win32 .Bat Exploit:3 [344] Oracle: HTTP Server mod_access Restriction Bypass Vulnerability:1 [345] Oracle: HTTP Server mod_access Restriction Bypass Vulnerability:2 [346] DDoS: Stacheldraht Handler-check-gag:1 [347] BACKDOOR: Remote Hack:1 [348] BACKDOOR: Remote Hack:2 [349] HTTP: Microsoft W3Who ISAPI DLL Buffer Overflow:1 [350] HTTP: Microsoft W3Who ISAPI DLL Buffer Overflow:2 [351] MSRPC: NT LSA Secrets Vulnerability:1 [352] HTTP: Hassan Consulting Shopping Cart Arbitrary Command Execution:1 [353] HTTP: Hassan Consulting Shopping Cart Arbitrary Command Execution:2 [354] BACKDOOR: Portal of Doom:1 [355] BACKDOOR: Portal of Doom:2 [356] RPC: CMSD Solaris ISS Buffer Overflow:1 [357] RPC: CMSD Solaris ISS Buffer Overflow:2 [358] FTP: IIS FTP STAT Glob Denial of Service:1 [359] MSSQL: xp_mergelineages Possible Buffer Overflow:1 [360] MSSQL: xp_mergelineages Possible Buffer Overflow:2 [361] FTP: WU-FTPD 2.6.0 Bobek Buffer Overflow:1 [362] FTP: WU-FTPD 2.6.0 Bobek Buffer Overflow:2 [363] BACKDOOR: Tcc:1 [364] HTTP: Mail Manage EX PHP Include Exploit:1 [365] FTP: OpenFTPD MSG Format String Exploit:1 [366] HTTP: IIS WebDAV propfind Server DoS:1 [367] HTTP: IIS WebDAV propfind Server DoS:2 [368] SHELLCODE: Shellcode Exploit Detected for i386 Family CPUs:1 [369] SHELLCODE: Shellcode Exploit Detected for i386 Family CPUs:2 [370] SHELLCODE: Shellcode Exploit Detected for i386 Family CPUs:3 [371] SHELLCODE: Shellcode Exploit Detected for i386 Family CPUs:4 [372] SHELLCODE: Shellcode Exploit Detected for i386 Family CPUs:5 [373] IDENT: Suspiciously Long Response:1 [374] IDENT: Suspiciously Long Response:2 [375] IDENT: Suspiciously Long Response:3 [376] DCERPC: Microsoft Message Queuing Service Buffer Overflow:1 [377] DCERPC: Microsoft Message Queuing Service Buffer Overflow:2 [378] DCERPC: Microsoft Message Queuing Service Buffer Overflow:3 [379] BACKDOOR: Remote Windows Shutdown:1 [380] RPC: STATD SMMON Format String Attack:1 [381] RPC: STATD SMMON Format String Attack:2 [382] RPC: STATD SMMON Format String Attack:3 [383] RPC: STATD SMMON Format String Attack:4 [384] RPC: STATD SMMON Format String Attack:5 [385] RPC: STATD SMMON Format String Attack:6 [386] SCAN: NULL Probe:1 [387] HTTP: PhpPhotoAlbum Directory Traversal:1 [388] HTTP: PhpPhotoAlbum Directory Traversal:2 [389] DoS: UDP Bomb:1 [390] DoS: UDP Bomb:2 [391] IMAP: Buffer Overflow With Overly Long UID Command Parameters:1 [392] TCP: Abnormal TCP Window Scaling Options:1 [393] SMTP: x86 Windows CSM Mail Buffer Overflow:1 [394] KERBEROS: Kerberos 5 ASN.1 Field Crafted BitString:1 [395] BACKDOOR: Total Eclypse:1 [396] FTP: Ftpd SATAN Scan:1 [397] HTTP: Cisco IOS HTTP DoS:1 [398] HTTP: Cisco IOS HTTP DoS:2 [399] ORACLE: MD2 Package SDO_CODE_SIZE Procedure Buffer Overflow:1 [400] SNMP: Invalid Bulk Request ID:1 [401] ICMP: Netmask Request:1 [402] HTTP: VBulletin Forumdisplay PHP Code Execution:1 [403] BACKDOOR: Priority:1 [404] DCERPC: Microsoft RPC DCOM Buffer Overflow:1 [405] DCERPC: Microsoft RPC DCOM Buffer Overflow:2 [406] DCERPC: Microsoft RPC DCOM Buffer Overflow:3 [407] DCERPC: Microsoft RPC DCOM Buffer Overflow:4 [408] BACKDOOR: Backdoor2 Trojan:1 [409] BACKDOOR: Backdoor2 Trojan:2 [410] BACKDOOR: Backdoor2 Trojan:3 [411] BACKDOOR: Backdoor2 Trojan:4 [412] RPC: TTDBServerD HPUX APK Buffer Overflow:1 [413] RPC: TTDBServerD HPUX APK Buffer Overflow:2 [414] MSSQL: xp_peekqueue Possible Buffer Overflow:1 [415] MSSQL: xp_peekqueue Possible Buffer Overflow:2 [416] SNMP: Microsoft Printer Query DoS Vulnerability:1 [417] TELNET: Telnet Client slc_add_reply Buffer Overflow Vulnerability:1 [418] TELNET: Telnet Client slc_add_reply Buffer Overflow Vulnerability:2 [419] TELNET: Telnet Client slc_add_reply Buffer Overflow Vulnerability:3 [420] IMAP: Imapscan.sh Exploit:1 [421] HTTP: Lotus Domino ReplicaID Access Vulnerability:1 [422] HTTP: Lotus Domino ReplicaID Access Vulnerability:2 [423] PPTP: MicroSoft PPTP Malformed Control Message:1 [424] LPR: PIC LPd Exploit:1 [425] HTTP: IIS Index Server query.dll Overflow:1 [426] HTTP: IIS Index Server query.dll Overflow:2 [427] HTTP: IIS Index Server query.dll Overflow:3 [428] DCERPC: Arnudp Attack:1 [429] BACKDOOR: Evil FTP:1 [430] HTTP: Windmail.exe Remote File Read:1 [431] HTTP: Windmail.exe Remote File Read:2 [432] ORACLE: Application Server Report Server Buffer Overflow:1 [433] ORACLE: Application Server Report Server Buffer Overflow:2 [434] ORACLE: Application Server Report Server Buffer Overflow:3 [435] BACKDOOR: Olive:1 [436] BACKDOOR: Duddie:1 [437] BACKDOOR: Duddie:2 [438] SMTP: TURN Command:1 [439] FINGER: ZKFingerd Format String Vulnerability:1 [440] FINGER: ZKFingerd Format String Vulnerability:2 [441] HTTP: Microsoft IIS HOST Header DoS:1 [442] HTTP: Microsoft IIS HOST Header DoS:2 [443] RDP: Microsoft Terminal Services RDP DoS:1 [444] ARP: ARP Spoofing with Different MAC Addresses:1 [445] BACKDOOR: BackConstruction Trojan:1 [446] MSSQL: DBCC Buffer Overflow:1 [447] MSSQL: DBCC Buffer Overflow:2 [448] MSSQL: DBCC Buffer Overflow:3 [449] MSSQL: DBCC Buffer Overflow:4 [450] MSSQL: DBCC Buffer Overflow:5 [451] MSSQL: DBCC Buffer Overflow:6 [452] MSSQL: DBCC Buffer Overflow:7 [453] MSSQL: DBCC Buffer Overflow:8 [454] MSSQL: DBCC Buffer Overflow:9 [455] MSSQL: DBCC Buffer Overflow:10 [456] MSSQL: DBCC Buffer Overflow:11 [457] MSSQL: DBCC Buffer Overflow:12 [458] MSSQL: DBCC Buffer Overflow:13 [459] MSSQL: DBCC Buffer Overflow:14 [460] HTTP: Nortel Contivity cgiproc DoS:1 [461] HTTP: Nortel Contivity cgiproc DoS:2 [462] SNMP: Integer Overflow Detected:1 [463] POP3: Qpopper Buffer Overflow:1 [464] POP3: Qpopper Buffer Overflow:2 [465] HTTP: Microsoft Office XP Word Long Filename Overflow:1 [466] WORM: W32/Bagle.e@MM Worm:1 [467] WORM: W32/Bagle.e@MM Worm:2 [468] WORM: W32/Bagle.e@MM Worm:3 [469] BACKDOOR: MyDoom/DoomJuice Activity:1 [470] BACKDOOR: MyDoom/DoomJuice Activity:2 [471] BACKDOOR: MyDoom/DoomJuice Activity:3 [472] BACKDOOR: MyDoom/DoomJuice Activity:4 [473] HTTP: FileSeek CGI Attack:1 [474] HTTP: FileSeek CGI Attack:2 [475] HTTP: FileSeek CGI Attack:3 [476] SMTP: Too Many Message Headers DoS:1 [477] RPC: CMSD Generic Length Buffer Overflow:1 [478] BACKDOOR: WinCrash Trojan:1 [479] BACKDOOR: WinCrash Trojan:2 [480] MSSQL: XP_LogAttach* Run on MSSQL:1 [481] MSSQL: XP_LogAttach* Run on MSSQL:2 [482] HTTP: Apache source.asp Writing File:1 [483] HTTP: Apache source.asp Writing File:2 [484] NNTP: AuthInfo Buffer Overflow:1 [485] BACKDOOR: Voodoo Doll:1 [486] HTTP: HP Openview Network Node Manager Code Execution:1 [487] HTTP: HP Openview Network Node Manager Code Execution:2 [488] HTTP: Htdig Arbitrary File Disclosure:1 [489] HTTP: Htdig Arbitrary File Disclosure:2 [490] IM: AOL Instant Messenger Buffer Overflow Vulnerability:1 [491] MSSQL: SQL Server Resolution Keep Alive DoS:1 [492] HTTP: gwweb Access File:1 [493] HTTP: gwweb Access File:2 [494] BACKDOOR: Quake Server Backdoor:1 [495] HTTP: IIS root.exe Execute Command:1 [496] HTTP: IIS root.exe Execute Command:2 [497] SMTP: Domino ENVID DoS:1 [498] SMTP: Domino ENVID DoS:2 [499] HTTP: CSVForm Remote Arbitrary Command Execution:1 [500] HTTP: CSVForm Remote Arbitrary Command Execution:2 [501] RPC: Portmapper XDR Fragment Decoding Buffer Overflow:1 [502] H.225: PROTO Destination Address H323-ID Length Anomaly:1 [503] BACKDOOR: Sygate Non-Authenticated RAE Activity:1 [504] HTTP: Microsoft Remote Data Services Attack:1 [505] HTTP: Microsoft Remote Data Services Attack:2 [506] HTTP: Microsoft Remote Data Services Attack:3 [507] HTTP: Microsoft Remote Data Services Attack:4 [508] Oracle: Application Server Reports Arbitrary System Command Execution:1 [509] SOCKS: SOCKS4 Username Buffer Overflow:1 [510] SOCKS: SOCKS4 Username Buffer Overflow:2 [511] SOCKS: SOCKS4 Username Buffer Overflow:3 [512] BACKDOOR: The Revenger:1 [513] HTTP: Request Path Too Long With Shellcode Detected:1 [514] HTTP: Request Path Too Long With Shellcode Detected:3 [515] BACKDOOR: G-Spot:1 [516] BACKDOOR: The Thing:1 [517] BACKDOOR: The Thing:2 [518] BACKDOOR: The Thing:3 [519] RPC: MOUNTD ADM Buffer Overflow:1 [520] RPC: MOUNTD ADM Buffer Overflow:2 [521] RPC: MOUNTD ADM Buffer Overflow:3 [522] MSSQL: xp_createqueue Possible Buffer Overflow:1 [523] MSSQL: xp_createqueue Possible Buffer Overflow:2 [524] TELNET: Too Many Bad IACs:1 [525] BACKDOOR: Trojan Cow:1 [526] SHELLCODE: Shellcode Exploit Detected for Motorola 68000 Family CPUs:1 [527] SHELLCODE: Shellcode Exploit Detected for Motorola 68000 Family CPUs:2 [528] HTTP: InterScan WebManager HttpSave.dll Buffer Overflow:1 [529] HTTP: InterScan WebManager HttpSave.dll Buffer Overflow:2 [530] HTTP: InterScan WebManager HttpSave.dll Buffer Overflow:3 [531] BACKDOOR: StealthSpy:1 [532] RPC: CACHEFSD Solaris LSD Buffer Overflow:1 [533] RPC: CACHEFSD Solaris LSD Buffer Overflow:2 [534] RPC: CACHEFSD Solaris LSD Buffer Overflow:3 [535] HTTP: Sojourn Input Validation Error:1 [536] HTTP: Sojourn Input Validation Error:2 [537] IRC: PTlink IRCD Denial of Service:1 [538] RLOGIN: User Name Too Long:1 [539] RLOGIN: User Name Too Long:2 [540] RLOGIN: User Name Too Long:3 [541] HTTP: e107 PHP Code Injection:1 [542] HTTP: e107 PHP Code Injection:2 [543] BACKDOOR: PC Invader:1 [544] BACKDOOR: PC Invader:2 [545] SMTP: Microsoft Web View Script Injection Vulnerability:1 [546] TCP: Requested MD5 Checksums Missing from TCP Flow:1 [547] SMTP: EXPN Root:1 [548] BACKDOOR: Ultors:1 [549] H.225: Microsoft ISA Server Source Address URL Length Buffer Overflow:1 [550] HTTP: IIS Translate F Read Source Code:1 [551] HTTP: IIS Translate F Read Source Code:2 [552] ORACLE: Buffer Overflow in SYS_CONTEXT():1 [553] HTTP: SGI pfdispaly.cgi Bug:1 [554] HTTP: SGI pfdispaly.cgi Bug:2 [555] HTTP: SGI pfdispaly.cgi Bug:3 [556] DoS: Axent Raptor Crash:1 [557] HTTP: Microsoft ASN.1 Memory Corruption:1 [558] MySQL: Change User Vulnerability:1 [559] BACKDOOR: Psychward:1 [560] BACKDOOR: Psychward:2 [561] HTTP: Microsoft Site Server Arbitrary ASP Code Execution Vulnerability:1 [562] HTTP: Microsoft Site Server Arbitrary ASP Code Execution Vulnerability:2 [563] SMTP: Microsoft Word Font Parsing Buffer Overflow Vulnerability:1 [564] SENSOR: TCP/UDP Control Blocks Resources Exhausted:1 [565] HTTP: checklogin.php Execute Command:1 [566] HTTP: checklogin.php Execute Command:2 [567] RPC: TTDBServerD AIX LSD Buffer Overflow:1 [568] RPC: TTDBServerD AIX LSD Buffer Overflow:2 [569] RPC: TTDBServerD AIX LSD Buffer Overflow:3 [570] RPC: TTDBServerD AIX LSD Buffer Overflow:4 [571] RPC: TTDBServerD AIX LSD Buffer Overflow:5 [572] HTTP: MailSite Buffer Overflow:1 [573] HTTP: MailSite Buffer Overflow:3 [574] ORACLE: 9i Default Configuration File Information Disclosure:1 [575] ORACLE: 9i Default Configuration File Information Disclosure:2 [576] SNMP: PROTOS Test Suite Invalid Version Attack:1 [577] TELNET: Linux In.telnetd Denial of Service:1 [578] HTTP: Cisco 600 Series Web Administration DoS:1 [579] HTTP: QShop Privilege Escalation:1 [580] HTTP: QShop Privilege Escalation:2 [581] LPR: Print Passwd HardCopy Attempt:1 [582] FINGER: Cfinger Search Probe:1 [583] HTTP: Virus Wall Overflow:1 [584] HTTP: Virus Wall Overflow:2 [585] HTTP: Virus Wall Overflow:3 [586] BACKDOOR: Gate Crasher:1 [587] DCERPC: Microsoft NTLM ASN.1 Heap Corruption:1 [588] DCERPC: Microsoft NTLM ASN.1 Heap Corruption:2 [589] ORACLE: Application Server Default Page Context-test:1 [590] SNMP: Invalid Tag Detected:1 [591] SNMP: Invalid Tag Detected:2 [592] SNMP: Invalid Tag Detected:3 [593] SNMP: Invalid Tag Detected:4 [594] SNMP: Invalid Tag Detected:5 [595] SNMP: Invalid Tag Detected:6 [596] SNMP: Invalid Tag Detected:7 [597] SNMP: Invalid Tag Detected:8 [598] HTTP: OmniHTTPd Range Header Remote Buffer Overflow:1 [599] HTTP: OmniHTTPd Range Header Remote Buffer Overflow:2 [600] BACKDOOR: Net Terrorist:1 [601] FINGER: Shellcode in Request Detected:1 [602] FINGER: Shellcode in Request Detected:2 [603] FINGER: Shellcode in Request Detected:3 [604] TCP: Indicated TCP Header Length is Larger than Packet:1 [605] BACKDOOR: Doly Trojan:1 [606] BACKDOOR: Doly Trojan:2 [607] BACKDOOR: Doly Trojan:3 [608] MSSQL: xp_setsqlsecurity Possible Buffer Overflow:1 [609] MSSQL: xp_setsqlsecurity Possible Buffer Overflow:2 [610] SNMP: Community String Length Too Long:1 [611] TELNET: Root Login with Wrong Password:1 [612] HTTP: Lotus Domino Web Server iNotes s_Viewname Overflow:1 [613] HTTP: Lotus Domino Web Server iNotes s_Viewname Overflow:2 [614] BACKDOOR: Moonpie:1 [615] SSL: PCT THCLame Challenge Buffer Overflow:1 [616] DCERPC: Malformed Request DoS:7 [617] HTTP: count.cgi Buffer Overflow:1 [618] HTTP: count.cgi Buffer Overflow:2 [619] HTTP: count.cgi Buffer Overflow:3 [620] HTTP: count.cgi Buffer Overflow:4 [621] HTTP: count.cgi Buffer Overflow:5 [622] ORACLE: Listener Input Validation Vulnerabilities:1 [623] SNMP: PROTOS Test Suite Buffer Overflow Attack:1 [624] SNMP: PROTOS Test Suite Buffer Overflow Attack:2 [625] SNMP: PROTOS Test Suite Buffer Overflow Attack:3 [626] SNMP: PROTOS Test Suite Buffer Overflow Attack:4 [627] SNMP: PROTOS Test Suite Buffer Overflow Attack:5 [628] SNMP: PROTOS Test Suite Buffer Overflow Attack:6 [629] SNMP: PROTOS Test Suite Buffer Overflow Attack:7 [630] SNMP: PROTOS Test Suite Buffer Overflow Attack:8 [631] SNMP: PROTOS Test Suite Buffer Overflow Attack:9 [632] SNMP: PROTOS Test Suite Buffer Overflow Attack:10 [633] SNMP: PROTOS Test Suite Buffer Overflow Attack:11 [634] SNMP: PROTOS Test Suite Buffer Overflow Attack:12 [635] DNS: Ethereal Name Expansion DoS Overflow:1 [636] SMTP: W32 Mimail.c Worm:1 [637] FINGER: In.fingerd Pipe Remote Command Execution:1 [638] FINGER: In.fingerd Pipe Remote Command Execution:2 [639] HTTP: Brown Orifice HTTPD Access:1 [640] HTTP: Brown Orifice HTTPD Access:2 [641] HTTP: Oracle Web Listener Batch Execute Command:1 [642] HTTP: Oracle Web Listener Batch Execute Command:2 [643] BACKDOOR: TeleCommando:1 [644] HTTP: ColdFusion fileexists Vulnerability:1 [645] HTTP: ColdFusion fileexists Vulnerability:2 [646] BACKDOOR: Dagger Trojan:1 [647] BACKDOOR: Dagger Trojan:2 [648] FTP: Directory Traversal Attempt:1 [649] MSSQL: xp_execresultset Possible Buffer Overflow:1 [650] MSSQL: xp_execresultset Possible Buffer Overflow:2 [651] HTTP: sample.exe Run Command:1 [652] HTTP: sample.exe Run Command:2 [653] HTTP: sample.exe Run Command:3 [654] HTTP: sample.exe Run Command:4 [655] HTTP: sample.exe Run Command:5 [656] WORM: W32/Bagle.bd@MM Worm:1 [657] WORM: W32/Bagle.bd@MM Worm:2 [658] WORM: W32/Bagle.bd@MM Worm:3 [659] WORM: W32/Bagle.bd@MM Worm:4 [660] WORM: W32/Bagle.bd@MM Worm:5 [661] WORM: W32/Bagle.bd@MM Worm:6 [662] DNS: NXT Buffer Overflow:1 [663] DNS: NXT Buffer Overflow:2 [664] DNS: NXT Buffer Overflow:3 [665] SENSOR: Inconclusive Protocol Identification:1 [666] SMTP: Heap Overflow in Windows Script:1 [667] SMTP: Heap Overflow in Windows Script:2 [668] BACKDOOR: Last2000/Singularity:1 [669] DoS: Windows ISA Service DoS:1 [670] SNMP: Cisco IOS Undocumented Community String:1 [671] TELNET: Authentication Name Too Long:2 [672] WORM: W32/Mydoom.bd@MM Worm:1 [673] WORM: W32/Mydoom.bd@MM Worm:2 [674] WORM: W32/Mydoom.bd@MM Worm:3 [675] BACKDOOR: Tron:1 [676] DoS: Bonk Attack:1 [677] HTTP: IDS Evading Attempt:1 [678] HTTP: IDS Evading Attempt:2 [679] NETBIOS-SS: Windows Password Guessing:1 [680] BOT: Agobot/Phatbot/Forbot/XtremBot IRC Activity:1 [681] BOT: Agobot/Phatbot/Forbot/XtremBot IRC Activity:2 [682] BOT: Agobot/Phatbot/Forbot/XtremBot IRC Activity:3 [683] BOT: Agobot/Phatbot/Forbot/XtremBot IRC Activity:4 [684] BACKDOOR: Celine:1 [685] MSSQL: Xp_runwebtask Possible Buffer Overflow:1 [686] MSSQL: Xp_runwebtask Possible Buffer Overflow:2 [687] ORACLE: ctxsys.driload Access Validation Vulnerability:1 [688] IRC: IRCd-Hybrid Buffer Overflow:1 [689] IRC: IRCd-Hybrid Buffer Overflow:2 [690] RLOGIN: FROOT Account Attempt:1 [691] RLOGIN: FROOT Account Attempt:2 [692] HTTP: Ipswitch WhatsUp Gold Web Server Buffer Overflow:1 [693] HTTP: Ipswitch WhatsUp Gold Web Server Buffer Overflow:2 [694] BACKDOOR: The Prayer:1 [695] HTTP: RSA SecureID Web Agent Heap Overflow:1 [696] HTTP: RSA SecureID Web Agent Heap Overflow:2 [697] HTTP: Apache Tomcat System Path Info Disclosure:1 [698] HTTP: Apache Tomcat System Path Info Disclosure:2 [699] SMTP: Long SEND Parameters Buffer Overflow Attempt:1 [700] SMTP: Sendmail Debug Exploit:1 [701] SMTP: Sendmail Debug Exploit:2 [702] SMTP: Sendmail Debug Exploit:3 [703] BACKDOOR: Executor:1 [704] BACKDOOR: Executor:2 [705] H.225: Microsoft ISA Server Destination Address URL Buffer Overflow:1 [706] FTP: Glibc Glob Head Corruption:1 [707] MSSQL: Text Formatting Function Possible Buffers Overflow:1 [708] MSSQL: Text Formatting Function Possible Buffers Overflow:2 [709] MSSQL: Text Formatting Function Possible Buffers Overflow:3 [710] MSSQL: Text Formatting Function Possible Buffers Overflow:4 [711] MSSQL: Text Formatting Function Possible Buffers Overflow:5 [712] MSSQL: Text Formatting Function Possible Buffers Overflow:6 [713] ORACLE: Parameter/Statement Buffer Overflow Vulnerabilities:1 [714] WORM: W32/Bagle.af@MM Worm:1 [715] WORM: W32/Bagle.af@MM Worm:2 [716] WORM: W32/Bagle.af@MM Worm:3 [717] WORM: W32/Bagle.af@MM Worm:4 [718] WORM: W32/Bagle.af@MM Worm:5 [719] WORM: W32/Bagle.af@MM Worm:6 [720] MySQL: Version 4.1 and 5.0 Authentication Overflow:1 [721] BACKDOOR: Remote Computer Control Center:1 [722] HTTP: ColdFusion MX with Microsoft IIS Buffer Overflow:1 [723] HTTP: ColdFusion MX with Microsoft IIS Buffer Overflow:2 [724] HTTP: Lotus Domino Directory Traversal Vulnerability:1 [725] HTTP: Lotus Domino Directory Traversal Vulnerability:2 [726] HTTP: Netscape Enterprise Server Index Disclosure:1 [727] HTTP: Netscape Enterprise Server Index Disclosure:2 [728] SSL: Packet With No Connection:1 [729] RPC: CMSD Solaris Horizon Buffer Overflow:1 [730] RPC: CMSD Solaris Horizon Buffer Overflow:2 [731] RPC: CMSD Solaris Horizon Buffer Overflow:3 [732] RPC: CMSD Solaris Horizon Buffer Overflow:4 [733] RPC: CMSD Solaris Horizon Buffer Overflow:5 [734] DDoS: Stacheldraht Agent-to-Master:1 [735] MSSQL: xp_oledbinfo Possible Buffer Overflow:1 [736] MSSQL: xp_oledbinfo Possible Buffer Overflow:2 [737] ORACLE: 9iAS PL/SQL OWA UTIL Unauthorized Stored Procedure Access:1 [738] HTTP: cgitest.exe Buffer Overflow:1 [739] HTTP: cgitest.exe Buffer Overflow:2 [740] HTTP: cgitest.exe Buffer Overflow:3 [741] HTTP: cgitest.exe Buffer Overflow:4 [742] TELNET: Masquerading Client Login User:1 [743] HTTP: HP Web JetAdmin Command Execution:1 [744] HTTP: HP Web JetAdmin Command Execution:2 [745] HTTP: HP Web JetAdmin Command Execution:3 [746] HTTP: IIS Chunk Encoding Heap Overflow:1 [747] HTTP: IIS Chunk Encoding Heap Overflow:2 [748] HTTP: PDGSoft Shopping Cart Overflow:1 [749] HTTP: PDGSoft Shopping Cart Overflow:2 [750] HTTP: PDGSoft Shopping Cart Overflow:3 [751] BACKDOOR: BDDT:1 [752] BACKDOOR: BDDT:2 [753] BACKDOOR: HTTP Dansie:1 [754] FTP: SITE CPWD Buffer Overflow:1 [755] ORACLE: Application Server Default Page Server Information Leak:1 [756] ORACLE: Application Server Default Page Server Information Leak:2 [757] ORACLE: Application Server Default Page Server Information Leak:3 [758] SNMP: Indefinite Length Encoding Detected:1 [759] SNMP: Indefinite Length Encoding Detected:2 [760] SNMP: Indefinite Length Encoding Detected:3 [761] SNMP: Indefinite Length Encoding Detected:4 [762] SNMP: Indefinite Length Encoding Detected:5 [763] SNMP: Indefinite Length Encoding Detected:6 [764] SNMP: Indefinite Length Encoding Detected:7 [765] SNMP: Indefinite Length Encoding Detected:8 [766] P2P: eDonkey Client Connecting to Server:1 [767] P2P: eDonkey Client Connecting to Server:3 [768] WORM: W32/Bagle.p@MM Worm:1 [769] WORM: W32/Bagle.p@MM Worm:2 [770] WORM: W32/Bagle.p@MM Worm:3 [771] TELNET: Interaccess Telnetd Server 4.0 Terminal Configuration DoS:1 [772] HTTP: Squid NTLM Authentication Buffer Overflow:1 [773] HTTP: Squid NTLM Authentication Buffer Overflow:2 [774] HTTP: phpbb_root_path Remote File Include:1 [775] HTTP: phpbb_root_path Remote File Include:2 [776] TCP: TCP Urgent Data Pointer is Non-zero:1 [777] HTTP: IIS MDAC RDS Buffer Overflow Vulnerability:1 [778] HTTP: IIS MDAC RDS Buffer Overflow Vulnerability:2 [779] RPC: snmpXdmid Generic Length Buffer Overflow:1 [780] HTTP: Netscape Directory Indexing Browse Directory:1 [781] HTTP: Netscape Directory Indexing Browse Directory:2 [782] SNMP: Invalid Generic Trap Code:1 [783] TELNET: User Name Too Long:1 [784] TELNET: User Name Too Long:2 [785] HTTP: Macromedia JRun Admin Server Authentication Bypass:1 [786] HTTP: Macromedia JRun Admin Server Authentication Bypass:2 [787] WINS: Replication Validation Error:1 [788] WINS: Replication Validation Error:2 [789] WINS: Replication Validation Error:3 [790] SMTP: Ecartis Password Disclosure Vulnerability:1 [791] SSL: Client-Initiated Key Renegotiation Detected:1 [792] BACKDOOR: NetRaider:1 [793] BACKDOOR: RUX The TIc.K Backdoor:1 [794] BACKDOOR: RUX The TIc.K Backdoor:2 [795] IM: MSN (.NET) Messenger Alive:1 [796] IM: MSN (.NET) Messenger Alive:2 [797] IM: MSN (.NET) Messenger Alive:4 [798] IM: MSN (.NET) Messenger Alive:5 [799] ORACLE: 8i Dbsnmp Command Remote Denial Of Service:1 [800] HTTP: Phorum admin.php3 View File:1 [801] HTTP: Phorum admin.php3 View File:2 [802] HTTP: Phorum admin.php3 View File:3 [803] SNMP: Write Other Default Community String:1 [804] NNTP: LIST Response Parameter Overflow:1 [805] HTTP: Carello File Duplication/Disclosure:1 [806] HTTP: Carello File Duplication/Disclosure:2 [807] FINGER: Bomb Attack:1 [808] RTSP: URI Buffer Overflow in Real Server:1 [809] RTSP: URI Buffer Overflow in Real Server:2 [810] RTSP: URI Buffer Overflow in Real Server:3 [811] FTP: ProFTPD Format String:1 [812] HTTP: Buffer Overflow Attempt Detected in URL:1 [813] HTTP: Buffer Overflow Attempt Detected in URL:2 [814] HTTP: Buffer Overflow Attempt Detected in URL:3 [815] HTTP: Buffer Overflow Attempt Detected in URL:4 [816] HTTP: Buffer Overflow Attempt Detected in URL:5 [817] HTTP: Buffer Overflow Attempt Detected in URL:6 [818] HTTP: rpm_query List Installed Package:1 [819] HTTP: rpm_query List Installed Package:2 [820] TELNET: LD LIBRARY PATH Vulnerability:1 [821] TELNET: LD LIBRARY PATH Vulnerability:2 [822] TELNET: LD LIBRARY PATH Vulnerability:3 [823] TELNET: LD LIBRARY PATH Vulnerability:4 [824] HP: OpenView Omniback Unauthorized OmniBack Client Access:1 [825] IMAP: Buffer Overflow With Overly Long PROXY Command Parameters:1 [826] HTTP: EZMall Information Disclosure:1 [827] HTTP: EZMall Information Disclosure:2 [828] SSL: Certificate Microsoft ASN.1 Message Field Length Encoding Error:1 [829] SSL: Certificate Microsoft ASN.1 Message Field Length Encoding Error:2 [830] SSL: Certificate Microsoft ASN.1 Message Field Length Encoding Error:3 [831] SSL: Certificate Microsoft ASN.1 Message Field Length Encoding Error:4 [832] SSL: Certificate Microsoft ASN.1 Message Field Length Encoding Error:5 [833] SSL: Certificate Microsoft ASN.1 Message Field Length Encoding Error:6 [834] BACKDOOR: Insane Network:1 [835] BACKDOOR: Deep Throat Trojan:1 [836] BACKDOOR: Deep Throat Trojan:2 [837] BACKDOOR: Deep Throat Trojan:3 [838] BACKDOOR: Deep Throat Trojan:4 [839] FTP: SITE EXEC Exploit:1 [840] FTP: SITE EXEC Exploit:2 [841] FTP: SITE EXEC Exploit:3 [842] HTTP: Microsoft FrontPage Buffer Overflow:1 [843] HTTP: Microsoft FrontPage Buffer Overflow:2 [844] HTTP: Microsoft FrontPage Buffer Overflow:3 [845] POP3: Brute Force Login Attempt:1 [846] WORM: W32/Zafi.d@MM Worm:1 [847] WORM: W32/Zafi.d@MM Worm:2 [848] WORM: W32/Zafi.d@MM Worm:3 [849] WORM: W32/Zafi.d@MM Worm:4 [850] WORM: W32/Zafi.d@MM Worm:5 [851] WORM: W32/Zafi.d@MM Worm:6 [852] IMAP: Brute Force LOGIN Attempt:1 [853] HTTP: RaQ Bash History Read:1 [854] HTTP: RaQ Bash History Read:2 [855] BACKDOOR: Mantis:1 [856] FTP: WU-FTPD Tarparameters Exploit:1 [857] HTTP: IIS JET VBA Run Command Attempt:1 [858] HTTP: IIS JET VBA Run Command Attempt:3 [859] HTTP: IIS JET VBA Run Command Attempt:2 [860] HTTP: IIS JET VBA Run Command Attempt:4 [861] REXEC: Root Account Attempt:1 [862] Cisco: IOS Protocol DoS:1 [863] SNMP: TrapWatcher Msg Length Buffer Overflow:1 [864] SNMP: TrapWatcher Msg Length Buffer Overflow:2 [865] SNMP: TrapWatcher Msg Length Buffer Overflow:3 [866] HTTP: WWWThreads SQL Command Input:1 [867] HTTP: WWWThreads SQL Command Input:2 [868] BACKDOOR: Dfch:1 [869] HTTP: htmlscript Retrieve Infomation:1 [870] HTTP: htmlscript Retrieve Infomation:2 [871] DDoS: Trin00 Master-to-Agent Communication:1 [872] WORM: W32/Bagle.u@MM Worm:1 [873] WORM: W32/Bagle.u@MM Worm:2 [874] WORM: W32/Bagle.u@MM Worm:3 [875] DHCP: ISC DHCP Server Format String Vulnerability Exploit:1 [876] DHCP: ISC DHCP Server Format String Vulnerability Exploit:2 [877] DHCP: ISC DHCP Server Format String Vulnerability Exploit:3 [878] IMAP: Buffer Overflow Attempt Detected in Commands:1 [879] IMAP: Buffer Overflow Attempt Detected in Commands:2 [880] IMAP: Buffer Overflow Attempt Detected in Commands:3 [881] IMAP: Buffer Overflow Attempt Detected in Commands:4 [882] IMAP: Buffer Overflow Attempt Detected in Commands:5 [883] IMAP: Buffer Overflow Attempt Detected in Commands:6 [884] SMTP: Microsoft Outlook Date Field Buffer Overflow:1 [885] SMTP: Microsoft Outlook Date Field Buffer Overflow:2 [886] HTTP: phpBB Search.php SQL Injection:1 [887] HTTP: phpBB Search.php SQL Injection:2 [888] BACKDOOR: FileNail:1 [889] H.225: PROTO Source Address E164 Length Anomaly:1 [890] HTTP: uploader.exe Execute Program:1 [891] HTTP: uploader.exe Execute Program:2 [892] POP3: Buffer Overflow Attempt Detected in Command:1 [893] POP3: Buffer Overflow Attempt Detected in Command:2 [894] POP3: Buffer Overflow Attempt Detected in Command:3 [895] POP3: Buffer Overflow Attempt Detected in Command:4 [896] POP3: Buffer Overflow Attempt Detected in Command:5 [897] POP3: Buffer Overflow Attempt Detected in Command:6 [898] WORM: W32/Mydoom.o@MM Worm:1 [899] WORM: W32/Mydoom.o@MM Worm:2 [900] WORM: W32/Mydoom.o@MM Worm:3 [901] WORM: W32/Mydoom.o@MM Worm:4 [902] WORM: W32/Mydoom.o@MM Worm:5 [903] WORM: W32/Mydoom.o@MM Worm:6 [904] MySQL: MySQL Server for Windows Device Names DoS:1 [905] MySQL: MySQL Server for Windows Device Names DoS:2 [906] IMAP: Buffer Overflow With Overly Long LIST Command Parameters:1 [907] CVS: Revision Buffer Overflow:1 [908] SMB: Microsoft SMB Client Session Setup DoS:1 [909] SMB: Microsoft SMB Client Session Setup DoS:2 [910] SSL: Session Recycled:1 [911] HTTP: Dansie Shopping Cart Backdoor:1 [912] HTTP: Dansie Shopping Cart Backdoor:2 [913] SMTP: Long HELO Parameter Exploit:1 [914] HTTP: Biztalk Receive Buffer Overflow:1 [915] HTTP: Biztalk Receive Buffer Overflow:2 [916] HTTP: Biztalk Receive Buffer Overflow:3 [917] BACKDOOR: B.F.Evolution:1 [918] DCERPC: Microsoft Plug and Play Service Buffer Overflow:1 [919] DCERPC: Microsoft Plug and Play Service Buffer Overflow:2 [920] DDoS: Trin00 Attacker-to-Master Remote Password:1 [921] FTP: ProFTPD log_xfer() Buffer Overflow:1 [922] FTP: ProFTPD log_xfer() Buffer Overflow:2 [923] FTP: ProFTPD log_xfer() Buffer Overflow:3 [924] FTP: ProFTPD log_xfer() Buffer Overflow:4 [925] FTP: ProFTPD log_xfer() Buffer Overflow:5 [926] HTTP: Nessus Probe:1 [927] POP3: Qpopper LIST Exploit:1 [928] POP3: Qpopper LIST Exploit:2 [929] WORM: W32/Bagle.h@MM Worm:1 [930] TELNET: Buffer Overflow Attempt Detected in Environment Negotiation:1 [931] TELNET: Buffer Overflow Attempt Detected in Environment Negotiation:2 [932] TELNET: Buffer Overflow Attempt Detected in Environment Negotiation:3 [933] TELNET: Buffer Overflow Attempt Detected in Environment Negotiation:4 [934] TELNET: Buffer Overflow Attempt Detected in Environment Negotiation:5 [935] TELNET: Buffer Overflow Attempt Detected in Environment Negotiation:6 [936] SMTP: Shellcode Found in SMTP Command:1 [937] SMTP: Shellcode Found in SMTP Command:2 [938] SMTP: Shellcode Found in SMTP Command:3 [939] SMTP: Shellcode Found in SMTP Command:4 [940] SMTP: Shellcode Found in SMTP Command:5 [941] SMTP: Shellcode Found in SMTP Command:6 [942] HTTP: NewsPHP Input Validation Vulnerability:1 [943] HTTP: NewsPHP Input Validation Vulnerability:2 [944] RPC: MOUNTD Generic Length Buffer Overflow:1 [945] BACKDOOR: Black Angel:1 [946] HTTP: IIS3 ASP dot2e:1 [947] HTTP: IIS3 ASP dot2e:2 [948] ORACLE: Oracle Web Cache HTTP Heap Overflow:1 [949] HTTP: Anaconda Directory Traversal Attempt:1 [950] HTTP: Anaconda Directory Traversal Attempt:2 [951] POP3: Internet Anywhere RETR Denial of Service:1 [952] POP3: Internet Anywhere RETR Denial of Service:2 [953] POP3: Internet Anywhere RETR Denial of Service:3 [954] XTACACS: Denial of Service Attack:1 [955] WORM: W32/Netsky.y@MM Worm:1 [956] WORM: W32/Netsky.y@MM Worm:2 [957] WORM: W32/Netsky.y@MM Worm:3 [958] HTTP: Cisco Collaboration Server Upload Vulnerability:1 [959] HTTP: Cisco Collaboration Server Upload Vulnerability:2 [960] TELNET: Microsoft Windows 2000 Telnet Server Denial of Service:1 [961] BACKDOOR: One Windows Trojan:1 [962] IMAP: Login Buffer Overflow Exploit:1 [963] SMTP: MS05-021 Microsoft Exchange Code Execution:1 [964] HTTP: Htgrep Arbitrary File Disclosure:1 [965] HTTP: Htgrep Arbitrary File Disclosure:2 [966] RPC: TTDBServerD Create File Bufferoverflow:1 [967] RPC: TTDBServerD Create File Bufferoverflow:2 [968] IM: AOL Instant Messenger AddExternalApp Buffer Overflow:1 [969] SCAN: SYN FIN Based Probes:1 [970] SCAN: SYN FIN Based Probes:2 [971] SCAN: SYN FIN Based Probes:3 [972] MSSQL: xp_cmdshell Program Execution:1 [973] MSSQL: xp_cmdshell Program Execution:2 [974] SIP: URI Buffer Overflow in SIP Server:1 [975] SIP: URI Buffer Overflow in SIP Server:2 [976] SIP: URI Buffer Overflow in SIP Server:3 [977] SIP: URI Buffer Overflow in SIP Server:4 [978] SIP: URI Buffer Overflow in SIP Server:5 [979] HTTP: iPlanet Remote File Viewing Vulnerability:1 [980] HTTP: iPlanet Remote File Viewing Vulnerability:2 [981] HTTP: Windows Media Services ISAPI BO:1 [982] HTTP: Windows Media Services ISAPI BO:2 [983] P2P: Phex Alive:1 [984] P2P: Phex Alive:2 [985] RPC: CDE ToolTalk Generic Exploit:1 [986] BACKDOOR: Sockets De Troie Trojan(v2.3):1 [987] BACKDOOR: Sockets De Troie Trojan(v2.3):2 [988] DDoS: Trin00 Daemon-to-Master:1 [989] HTTP: Phorum SQL read.php3 Attack:1 [990] HTTP: Phorum SQL read.php3 Attack:2 [991] WORM: W32/Mydoom.b@MM Worm:1 [992] WORM: W32/Mydoom.b@MM Worm:2 [993] WORM: W32/Mydoom.b@MM Worm:3 [994] WORM: W32/Mydoom.b@MM Worm:4 [995] WORM: W32/Mydoom.b@MM Worm:5 [996] WORM: W32/Mydoom.b@MM Worm:6 [997] BACKDOOR: Phoenix II:1 [998] FINGER: User Information Probe:1 [999] FINGER: User Information Probe:2 [1000] P2P: WinMX File Transferring:1 [1001] P2P: WinMX File Transferring:2 [1002] BACKDOOR: Crazzy Net:1 [1003] RTSP: Real Server View-Source DoS:1 [1004] SNMP: Write Public Community String:1 [1005] TELNET: Linker Options Execute Malicious Code:1 [1006] TELNET: Linker Options Execute Malicious Code:2 [1007] TELNET: Linker Options Execute Malicious Code:3 [1008] SMTP: Sendmail Address Buffer Overflow:1 [1009] SMTP: Sendmail Address Buffer Overflow:2 [1010] SMTP: Sendmail Address Buffer Overflow:3 [1011] SMTP: Sendmail Address Buffer Overflow:4 [1012] SMTP: Sendmail Address Buffer Overflow:5 [1013] SMTP: Sendmail Address Buffer Overflow:6 [1014] SMTP: Sendmail Address Buffer Overflow:7 [1015] SMTP: Sendmail Address Buffer Overflow:8 [1016] SMTP: Sendmail Address Buffer Overflow:9 [1017] SMTP: Sendmail HELO Bomb:1 [1018] HTTP: Microsoft Commerce Server AuthFile ISAPI Filter Buffer Overflow:1 [1019] HTTP: Microsoft Commerce Server AuthFile ISAPI Filter Buffer Overflow:2 [1020] DNS: Antisniff Overflow:1 [1021] DNS: Antisniff Overflow:2 [1022] DNS: Antisniff Overflow:3 [1023] DNS: Antisniff Overflow:4 [1024] DNS: Antisniff Overflow:5 [1025] IMAP: Parameters Length Overly Large:1 [1026] HTTP: Attempt to Read Password File:1 [1027] HTTP: Attempt to Read Password File:2 [1028] HTTP: Attempt to Read Password File:3 [1029] HTTP: Attempt to Read Password File:4 [1030] UPnP: Generic Buffer Overflow:1 [1031] UPnP: Generic Buffer Overflow:2 [1032] BACKDOOR: Microspy:1 [1033] P2P: KaZaA File Transferring:1 [1034] P2P: KaZaA File Transferring:2 [1035] P2P: KaZaA File Transferring:3 [1036] P2P: KaZaA File Transferring:4 [1037] FTP: Ftpd Mkdcwd Buffer Overflow:3 [1038] FTP: Ftpd Mkdcwd Buffer Overflow:1 [1039] FTP: Ftpd Mkdcwd Buffer Overflow:2 [1040] REXEC: User Password Too Long:1 [1041] REXEC: User Password Too Long:2 [1042] SNMP: Cisco VCO Password Leak:1 [1043] MSRPC: Windows LSARPC Buffer Overflow:1 [1044] HTTP: .htaccess File Read Attempt:1 [1045] HTTP: .htaccess File Read Attempt:2 [1046] HTTP: DCForum DCShop File Disclosure:1 [1047] HTTP: DCForum DCShop File Disclosure:2 [1048] HTTP: Read UNIX History File:1 [1049] HTTP: Read UNIX History File:2 [1050] DDoS: Shaft Agent-to-Handler Communication:1 [1051] WORM: W32/Lovgate.ad@MM Worm:1 [1052] WORM: W32/Lovgate.ad@MM Worm:2 [1053] WORM: W32/Lovgate.ad@MM Worm:3 [1054] DHCP: ISC DHCPD Hostname Overflow:1 [1055] IMAP: Buffer Overflow with Overly Long CREATE Command Parameters:1 [1056] RADIUS: Memory Exhaustion Exploit:1 [1057] SHELLCODE: Shellcode Detected for Intel Alpha Family CPUs:1 [1058] SHELLCODE: Shellcode Detected for Intel Alpha Family CPUs:2 [1059] SMTP: MaZ Worm Email:1 [1060] SMTP: MaZ Worm Email:2 [1061] HTTP: NETObserve Security Bypass Vulnerability:1 [1062] HTTP: NETObserve Security Bypass Vulnerability:2 [1063] HTTP: NETObserve Security Bypass Vulnerability:3 [1064] BACKDOOR: Ghost:1 [1065] DCERPC: Microsoft Windows RPCSS Memory Leak DoS:1 [1066] RPC: MOUNTD Humpdee2 Buffer Overflow:1 [1067] RPC: MOUNTD Humpdee2 Buffer Overflow:2 [1068] HTTP: Tatantella TTAWebTop View File:1 [1069] HTTP: Tatantella TTAWebTop View File:2 [1070] HTTP: WEBgais Input Validation:1 [1071] HTTP: WEBgais Input Validation:2 [1072] HTTP: WEBgais Input Validation:3 [1073] RSH: User Name Too Long:1 [1074] RSH: User Name Too Long:2 [1075] RSH: User Name Too Long:3 [1076] POP3: Buffer Overflow Attempt With LIST Parameters:2 [1077] WORM: W32/Bagle.az@MM Worm:1 [1078] WORM: W32/Bagle.az@MM Worm:2 [1079] WORM: W32/Bagle.az@MM Worm:3 [1080] WORM: W32/Bagle.az@MM Worm:4 [1081] WORM: W32/Bagle.az@MM Worm:5 [1082] WORM: W32/Bagle.az@MM Worm:6 [1083] IMAP: Buffer Overflow With Overly Long SEARCH Command Parameters:1 [1084] SSL: Unsupported Export Cipher:1 [1085] HTTP: PDGSoft Shopping Cart Orders Exposure:1 [1086] HTTP: PDGSoft Shopping Cart Orders Exposure:2 [1087] BACKDOOR: Balistix:1 [1088] BACKDOOR: Balistix:2 [1089] DCERPC: Microsoft SPOOLSS Service Buffer Overflow:1 [1090] BACKDOOR: Event Horizon:1 [1091] FTP: Ftpd Wh00tscan:1 [1092] POP3: Qpop.c LIST Buffer Overflow:1 [1093] WORM: W32/Sober.d@MM Worm:1 [1094] WORM: W32/Sober.d@MM Worm:2 [1095] WORM: W32/Sober.d@MM Worm:3 [1096] WORM: W32/Sober.d@MM Worm:4 [1097] WORM: W32/Sober.d@MM Worm:5 [1098] WORM: W32/Sober.d@MM Worm:6 [1099] TFTP: Directory Traversal Exploit:1 [1100] BACKDOOR: Buschtrommel:1 [1101] BACKDOOR: Buschtrommel:2 [1102] RPC: Cachefsd Generic Length Buffer Overflow:1 [1103] HTTP: Possible Authentication Buffer Overflow:1 [1104] HTTP: Possible Authentication Buffer Overflow:2 [1105] HTTP: campas.cgi Web Access:1 [1106] HTTP: campas.cgi Web Access:2 [1107] HTTP: campas.cgi Web Access:3 [1108] IGMP: Fawx Attack:1 [1109] POP3: Winproxy Buffer Overflow:1 [1110] WORM: W32/Netsky.AB@MM Worm:1 [1111] WORM: W32/Netsky.AB@MM Worm:2 [1112] WORM: W32/Netsky.AB@MM Worm:3 [1113] IMAP: SELECT Buffer Overflow Exploit:1 [1114] SENSOR: PREVDATA Buffers Exhausted:1 [1115] LPR: Stack Buffer Overflow:1 [1116] SMTP: Buffer Overflow Attempted with Overly Long VRFY Parameters:1 [1117] HTTP: IIS Index Server Directory Disclosure:1 [1118] HTTP: IIS Index Server Directory Disclosure:2 [1119] IM: AOL Instant Messenger AddGame Buffer Overflow Vulnerability:1 [1120] FTP: CWD ~root:1 [1121] FTP: CWD ~root:2 [1122] BACKDOOR: QAZ:1 [1123] SMB: Samba Mangling Method Buffer Overflow:1 [1124] SMB: Samba Mangling Method Buffer Overflow:2 [1125] SMB: Samba Mangling Method Buffer Overflow:3 [1126] SMB: Samba Mangling Method Buffer Overflow:4 [1127] SMB: Samba Mangling Method Buffer Overflow:5 [1128] SMB: Samba Mangling Method Buffer Overflow:6 [1129] SMB: Samba Mangling Method Buffer Overflow:7 [1130] SMB: Samba Mangling Method Buffer Overflow:8 [1131] SMB: Samba Mangling Method Buffer Overflow:9 [1132] SMB: Samba Mangling Method Buffer Overflow:10 [1133] SMB: Samba Mangling Method Buffer Overflow:11 [1134] SMB: Samba Mangling Method Buffer Overflow:12 [1135] SMB: Samba Mangling Method Buffer Overflow:13 [1136] SMB: Samba Mangling Method Buffer Overflow:14 [1137] SMB: Samba Mangling Method Buffer Overflow:15 [1138] SYBASE: DBCC CHECKVERIFY Command Used:1 [1139] SYBASE: DBCC CHECKVERIFY Command Used:2 [1140] SMTP: Skyfull Mail Server Buffer Overflow:1 [1141] XFS: fs.auto Remote Buffer Overflow Vulnerability:1 [1142] XFS: fs.auto Remote Buffer Overflow Vulnerability:2 [1143] HTTP: Analogx Proxy Overly Long URL Vulnerability:1 [1144] ARP: MAC Address Flip-Flop:1 [1145] MSSQL: PWDENCRYPT Possible Buffer Overflow:1 [1146] MSSQL: PWDENCRYPT Possible Buffer Overflow:2 [1147] MSSQL: PWDENCRYPT Possible Buffer Overflow:3 [1148] MSSQL: PWDENCRYPT Possible Buffer Overflow:4 [1149] DDoS: Stacheldraht Master-Response:1 [1150] WORM: W32/Mydoom.f@MM Worm:1 [1151] WORM: W32/Mydoom.f@MM Worm:2 [1152] WORM: W32/Mydoom.f@MM Worm:3 [1153] WORM: W32/Mydoom.f@MM Worm:4 [1154] WORM: W32/Mydoom.f@MM Worm:5 [1155] WORM: W32/Mydoom.f@MM Worm:6 [1156] BACKDOOR: Remote Explorer:1 [1157] SMTP: MERCUR SMTP EXPN Buffer Overflow:1 [1158] IM: Yahoo Messenger Server Lookup:1 [1159] IM: Yahoo Messenger Server Lookup:2 [1160] IM: AIM(ICQ) File Transfer:1 [1161] IM: AIM(ICQ) File Transfer:2 [1162] IM: AIM(ICQ) File Transfer:3 [1163] IM: AIM(ICQ) File Transfer:4 [1164] TELNET: BSD Tgetent Exploit:1 [1165] TELNET: BSD Tgetent Exploit:2 [1166] TELNET: BSD Tgetent Exploit:3 [1167] TELNET: BSD Tgetent Exploit:4 [1168] HTTP: ColdFusion MX on IIS File Contents Disclosure Vulnerability:1 [1169] MSRPC: NT RAS Administration Registry Key Vulnerability:1 [1170] SMTP: SMI User Bin Access:1 [1171] HTTP: WebSPIRS Input Validation Error:1 [1172] HTTP: WebSPIRS Input Validation Error:2 [1173] NTP: NTPD Remote Buffer Overflow:1 [1174] NTP: NTPD Remote Buffer Overflow:2 [1175] NTP: NTPD Remote Buffer Overflow:3 [1176] BACKDOOR: Windows Mite:1 [1177] HTTP: Apache Tomcat Sensitive Information Disclosure:1 [1178] HTTP: Apache Tomcat Sensitive Information Disclosure:2 [1179] HTTP: Apache Tomcat Sensitive Information Disclosure:3 [1180] DCERPC: RFPoison DoS Attack:1 [1181] SMTP: Sendmail 8.6.9 Exploit:1 [1182] SMTP: Sendmail 8.6.9 Exploit:2 [1183] SMTP: Sendmail 8.6.9 Exploit:3 [1184] UPnP: Netgear ProSafe Router Information Leak:1 [1185] KERBEROS: Microsoft Kerberos 5 ASN.1 Length Encoding Error:1 [1186] P2P: Morpheus Alive:1 [1187] P2P: Morpheus Alive:2 [1188] BACKDOOR: Serveme:1 [1189] HTTP: Code Red Worm - IIS Index Server Overflow:1 [1190] IRC: Trillian Numeric Buffer Overflow:1 [1191] IP: Abnormally High Number of Small Fragments:1 [1192] HTTP: Forms.exe Buffer Overflow:1 [1193] HTTP: Forms.exe Buffer Overflow:2 [1194] DDoS: Stacheldraht Master-to-Agent (niggahbitch):1 [1195] BACKDOOR: NetMonitor (NetSpy):1 [1196] BACKDOOR: NetMonitor (NetSpy):2 [1197] RPC: CMSD Solaris LSD Buffer Overflow:1 [1198] RPC: CMSD Solaris LSD Buffer Overflow:2 [1199] FTP: IIS FTP Wildcard Denial of Service:1 [1200] FTP: Bftpd SITE CHOWN Buffer Overflow:1 [1201] HTTP: Thttpd Stack Overflow:1 [1202] HTTP: Thttpd Stack Overflow:2 [1203] HTTP: Thttpd Stack Overflow:3 [1204] DDoS: mstream Handler Ping to Agent:1 [1205] BACKDOOR: School Bus:1 [1206] IDENT: Suspiciously Long Request:1 [1207] IDENT: Suspiciously Long Request:2 [1208] IDENT: Suspiciously Long Request:3 [1209] IDENT: Suspiciously Long Request:4 [1210] HTTP: Cisco Secure ACS Web Management Interface Buffer Overflow:1 [1211] HTTP: Cisco Secure ACS Web Management Interface Buffer Overflow:2 [1212] BACKDOOR: Prosiak:1 [1213] BACKDOOR: Prosiak:2 [1214] BACKDOOR: Prosiak:3 [1215] BACKDOOR: Prosiak:4 [1216] RPC: STATD SMMON Buffer Overflow:1 [1217] RPC: STATD SMMON Buffer Overflow:2 [1218] RPC: STATD SMMON Buffer Overflow:3 [1219] RPC: STATD SMMON Buffer Overflow:4 [1220] DCERPC: Microsoft RPC Information Disclosure and DoS:1 [1221] DCERPC: Microsoft RPC Information Disclosure and DoS:2 [1222] MSSQL: xp_displayqueuemesgs Possible Buffer Overflow:1 [1223] MSSQL: xp_displayqueuemesgs Possible Buffer Overflow:2 [1224] TCP: Bare Push Probe:1 [1225] FTP: FTPD x86 Linux Buffer Overflow:1 [1226] FTP: FTPD x86 Linux Buffer Overflow:3 [1227] FTP: FTPD x86 Linux Buffer Overflow:2 [1228] HTTP: Auktion Directory Traversal:1 [1229] HTTP: Auktion Directory Traversal:2 [1230] RSH: Null Login:1 [1231] SRCP: Buffer Overflows in Srcpd:1 [1232] POP3: Buffer Overflow Attempt With TOP Parameters:1 [1233] IRC: BitchX Format String Exploit:1 [1234] IRC: BitchX Format String Exploit:2 [1235] DNS: OPT Denial of Service:1 [1236] IMAP: Buffer Overflow With Overly Long COPY Command Parameters:1 [1237] HTTP: Quikstore Config File Exposure:1 [1238] HTTP: Quikstore Config File Exposure:2 [1239] TCP: Urgent Pointer is Set but Ack is Zero:1 [1240] SMTP: Lotus RCPT TO Overflow:1 [1241] SMTP: Lotus RCPT TO Overflow:2 [1242] HTTP: Weblogic Plugin Overflow:1 [1243] HTTP: Weblogic Plugin Overflow:2 [1244] HTTP: Weblogic Plugin Overflow:3 [1245] BACKDOOR: Tini:1 [1246] FTP: Overly Long USER Parameters with Shellcode:1 [1247] FTP: Ftpd SAINT Scan:1 [1248] HTTP: Piranha Execute Command:1 [1249] HTTP: Piranha Execute Command:2 [1250] ORACLE: Server String Conversion Function Buffer Overflow:1 [1251] BACKDOOR: Internal Revise:1 [1252] SMTP: Microsoft Outlook Web Access Cross Site Scripting:1 [1253] SMTP: Microsoft Outlook Web Access Cross Site Scripting:2 [1254] BACKDOOR: Asylum Trojan:1 [1255] BACKDOOR: Asylum Trojan:2 [1256] BACKDOOR: Asylum Trojan:3 [1257] BACKDOOR: Asylum Trojan:4 [1258] DCERPC: DCOM RemoteGetClassObject DoS:1 [1259] DCERPC: DCOM RemoteGetClassObject DoS:2 [1260] MSSQL: xp_showcolv Possible Buffer Overflow:1 [1261] MSSQL: xp_showcolv Possible Buffer Overflow:2 [1262] HTTP: WEBactive HTTP Server File Disclosure:1 [1263] HTTP: WEBactive HTTP Server File Disclosure:2 [1264] POP3: WinGate Popd Denial of Service:1 [1265] WORM: W32/Stdbot.B Worm:1 [1266] IMAP: wu-imapd LSUB Buffer Overflow Exploit:1 [1267] IMAP: wu-imapd LSUB Buffer Overflow Exploit:2 [1268] LPR: Remove File as Root Exploit:1 [1269] LPR: Remove File as Root Exploit:2 [1270] SMTP: CMail Buffer Overflow:1 [1271] IDENT: Xinetd Buffer Overflow Vulnerability:1 [1272] IDENT: Xinetd Buffer Overflow Vulnerability:2 [1273] IDENT: Xinetd Buffer Overflow Vulnerability:3 [1274] BACKDOOR: Delta Source:1 [1275] BACKDOOR: Delta Source:2 [1276] BACKDOOR: Delta Source:3 [1277] DCERPC: Project1 Exploit:1 [1278] FTP: Ftpd Mkd Buffer Overflow:1 [1279] FTP: Ftpd Mkd Buffer Overflow:2 [1280] FTP: Ftpd Mkd Buffer Overflow:3 [1281] HTTP: Webdist.cgi Execute Command:1 [1282] HTTP: Webdist.cgi Execute Command:2 [1283] HTTP: Webdist.cgi Execute Command:3 [1284] DNS: Looping Compression Pointer:1 [1285] BACKDOOR: Net Controller:1 [1286] IP: IP Fragment too Large:1 [1287] SMTP: Too Many Long Commands DoS:1 [1288] RDP: Microsoft Windows RDP Server Abnormal Termination:1 [1289] ARP: Reply with Broadcast Destination MAC Address:1 [1290] BACKDOOR: Alvgus:1 [1291] BACKDOOR: Alvgus:2 [1292] MSSQL: Hello DoS:1 [1293] MSSQL: Hello DoS:2 [1294] HTTP: Nortel Contivity File View:1 [1295] HTTP: Nortel Contivity File View:2 [1296] SNMP: OID Length Too Long:1 [1297] IRC: mIRC Userhost Buffer Overflow:1 [1298] HTTP: Windows Sharepoint Services Cross-Site Scripting:1 [1299] WORM: W32/Bagle.c@MM Worm:1 [1300] WORM: W32/Bagle.c@MM Worm:2 [1301] WORM: W32/Bagle.c@MM Worm:3 [1302] BACKDOOR: Beast:1 [1303] BACKDOOR: Beast:2 [1304] SMTP: Sendmail WIZ Privileged Access:1 [1305] HTTP: Talkback CGI Traversal:1 [1306] HTTP: Talkback CGI Traversal:2 [1307] RPC: TTDBServerD Generic Length Buffer Overflow:1 [1308] RTSP: Denial of Service Vulnerability:1 [1309] RTSP: Denial of Service Vulnerability:2 [1310] BACKDOOR: GirlFriend Trojan:1 [1311] HTTP: iCat Carbo.dll File Disclosure:1 [1312] HTTP: iCat Carbo.dll File Disclosure:2 [1313] BACKDOOR: Vagr Noker:1 [1314] SMTP: All-Mail Buffer Overflow:1 [1315] HTTP: IIS fpcount.exe Buffer Overflow:1 [1316] HTTP: IIS fpcount.exe Buffer Overflow:2 [1317] HTTP: IIS fpcount.exe Buffer Overflow:3 [1318] IM: Microsoft MSN Messenger Font Tag DoS Vulnerability:1 [1319] HTTP: mlog.phtml Access Files:1 [1320] HTTP: mlog.phtml Access Files:2 [1321] Subversion: Date Parsing Buffer Overflow:1 [1322] BACKDOOR: YAT:1 [1323] BACKDOOR: YAT:2 [1324] HTTP: IIS .BAT Execute Command:1 [1325] HTTP: IIS .BAT Execute Command:2 [1326] NETBIOS-SS: Bugbear Virus Worm:1 [1327] SMTP: McAfee WebShield SMTP Trailing Period DoS:1 [1328] HTTP: Compaq Web Admin Buffer Overflow:1 [1329] HTTP: Compaq Web Admin Buffer Overflow:2 [1330] H.225: PROTO Source Address H323-ID Length Anomaly:1 [1331] BACKDOOR: Millenium:1 [1332] RPC: XDR Fragment Decoding Buffer Overflow:1 [1333] P2P: Grokster Alive:1 [1334] P2P: Grokster Alive:2 [1335] HTTP: IIS .printer Buffer Overflow:1 [1336] HTTP: IIS .printer Buffer Overflow:2 [1337] HTTP: IIS .printer Buffer Overflow:3 [1338] HTTP: IIS .printer Buffer Overflow:4 [1339] HTTP: IIS .printer Buffer Overflow:5 [1340] Oracle: Application Server Forms Arbitrary System Command Execution:1 [1341] SOCKS: SOCKS5 Hostname Buffer Overflow:1 [1342] SOCKS: SOCKS5 Hostname Buffer Overflow:2 [1343] SOCKS: SOCKS5 Hostname Buffer Overflow:3 [1344] BACKDOOR: Remote Revise:1 [1345] SMB: Unix Password File Access Attempt:1 [1346] SMB: Unix Password File Access Attempt:2 [1347] RPC: SADMIND X86 Buffer Overflow:1 [1348] RPC: SADMIND X86 Buffer Overflow:2 [1349] RPC: SADMIND X86 Buffer Overflow:3 [1350] MSSQL: xp_createprivatequeue Possible Buffer Overflow:1 [1351] MSSQL: xp_createprivatequeue Possible Buffer Overflow:2 [1352] HTTP: SuSE Apache Information Leak:1 [1353] HTTP: SuSE Apache Information Leak:2 [1354] HTTP: Microsoft FrontPage shtml.exe Path Disclosure:1 [1355] HTTP: Microsoft FrontPage shtml.exe Path Disclosure:2 [1356] DoS: UDP Land Attack:1 [1357] HTTP: IIS File Fragment Disclosure Vulnerability:1 [1358] HTTP: IIS File Fragment Disclosure Vulnerability:2 [1359] SHELLCODE: Shellcode Exploit Detected for PowerPC Family CPUs:1 [1360] SHELLCODE: Shellcode Exploit Detected for PowerPC Family CPUs:2 [1361] SHELLCODE: Shellcode Exploit Detected for PowerPC Family CPUs:3 [1362] SHELLCODE: Shellcode Exploit Detected for PowerPC Family CPUs:4 [1363] SHELLCODE: Shellcode Exploit Detected for PowerPC Family CPUs:5 [1364] BACKDOOR: Y3K ICQ Pager:1 [1365] BACKDOOR: SniperNet:1 [1366] BACKDOOR: SniperNet:2 [1367] RPC: Portmap Dump Request:1 [1368] MSSQL: Xp_readpkfromvarbin Possible Buffer Overflow:1 [1369] MSSQL: Xp_readpkfromvarbin Possible Buffer Overflow:2 [1370] HTTP: BigBrother Access Validation Error:1 [1371] HTTP: BigBrother Access Validation Error:2 [1372] ORACLE: TO_TIMESTAMP_TZ Buffer Overflow:1 [1373] CA: License Server Remote Buffer Overflow:1 [1374] CA: License Server Remote Buffer Overflow:2 [1375] CA: License Server Remote Buffer Overflow:3 [1376] CA: License Server Remote Buffer Overflow:4 [1377] CA: License Server Remote Buffer Overflow:5 [1378] IRC: BNC Proxy Buffer Overflow:1 [1379] IRC: BNC Proxy Buffer Overflow:2 [1380] RLOGIN: Failed Login:1 [1381] BACKDOOR: Optix:1 [1382] SMTP: Microsoft IE Long Hostname Heap Corruption:1 [1383] TCP: Timestamp Option:1 [1384] SMTP: Decode Exploit:1 [1385] SMTP: Decode Exploit:2 [1386] SMTP: Decode Exploit:3 [1387] HTTP: PHP MyAdmin Eval Execute:1 [1388] HTTP: PHP MyAdmin Eval Execute:2 [1389] HTTP: PHP MyAdmin Eval Execute:3 [1390] HTTP: PHP MyAdmin Eval Execute:4 [1391] H.225: Microsoft ISA server Source Address Email Buffer Overflow:1 [1392] BACKDOOR: Truva/tRuVa:1 [1393] MSSQL: Buffer Overflow Shellcode ACTIVE ATTACK:1 [1394] MSSQL: Buffer Overflow Shellcode ACTIVE ATTACK:2 [1395] MSSQL: Buffer Overflow Shellcode ACTIVE ATTACK:3 [1396] MSSQL: Buffer Overflow Shellcode ACTIVE ATTACK:4 [1397] MSSQL: Buffer Overflow Shellcode ACTIVE ATTACK:5 [1398] MSSQL: Buffer Overflow Shellcode ACTIVE ATTACK:6 [1399] HTTP: PCCS MySQL Database Obtain Sensitive Infomation:1 [1400] HTTP: PCCS MySQL Database Obtain Sensitive Infomation:2 [1401] ORACLE: Buffer Overflow in DBMS_SYSTEM.KSDWRT():1 [1402] SNMP: Protocol Anomaly Invalid Bulk Request MaxRepetitions:1 [1403] DoS: WinNuke/Out-of-Band DoS:1 [1404] TFTP: Dabber Worm:1 [1405] HTTP: Apache apr-util IPv6 Uri Parsing Exploit:1 [1406] HTTP: Apache apr-util IPv6 Uri Parsing Exploit:2 [1407] MySQL: Login Failed:1 [1408] MySQL: Login Failed:2 [1409] BACKDOOR: Project Next:1 [1410] HTTP: IIS Double Byte Code Page Vulnerability:1 [1411] HTTP: IIS Double Byte Code Page Vulnerability:2 [1412] SMTP: Microsoft Color Management Modules Vulnerability:1 [1413] ICMP: Modem +++ATH0 DoS:1 [1414] BACKDOOR: Chupacabra Trojan:1 [1415] RPC: TTDBServerD APK Solaris Buffer Overflow:1 [1416] RPC: TTDBServerD APK Solaris Buffer Overflow:2 [1417] RPC: TTDBServerD APK Solaris Buffer Overflow:3 [1418] MSSQL: Possible Extended Stored Procedure Buffer Overflow:1 [1419] MSSQL: Possible Extended Stored Procedure Buffer Overflow:3 [1420] ORACLE: 9iAS Apache PL/SQL Module Web Administration Access Vulnerability:1 [1421] TELNET: WinGate Denial of Service:1 [1422] TELNET: WinGate Denial of Service:2 [1423] HTTP: Apache Log File Overwrite:1 [1424] HTTP: Apache Log File Overwrite:2 [1425] PPTP: MicroSoft PPTP Server Buffer Overflow:1 [1426] LPR: OS Detection Attempt:1 [1427] SMTP: Microsoft Outlook mailto URL Exploit:1 [1428] SMTP: Microsoft Outlook mailto URL Exploit:2 [1429] FINGER: Root Information Probe:1 [1430] IDENT: Stunnel Local Arbitrary Command Execution:1 [1431] IDENT: Stunnel Local Arbitrary Command Execution:2 [1432] IDENT: Stunnel Local Arbitrary Command Execution:3 [1433] HTTP: IIS Index Server Source Disclosure:1 [1434] HTTP: IIS Index Server Source Disclosure:2 [1435] DCERPC: Microsoft Workstation Service Buffer Overflow:1 [1436] DCERPC: Microsoft Workstation Service Buffer Overflow:2 [1437] DCERPC: Microsoft Workstation Service Buffer Overflow:3 [1438] BACKDOOR: Frenzy:1 [1439] BACKDOOR: Frenzy:2 [1440] BACKDOOR: Frenzy:3 [1441] FTP: Solaris2.8 Format String:1 [1442] FTP: Solaris2.8 Format String:2 [1443] HTTP: Shtml Exe DoS:1 [1444] HTTP: Shtml Exe DoS:2 [1445] ORACLE: Application Server Printenv Information Disclosure:1 [1446] HTTP: SurgeLDAP 1.0g Web Service user.cgi Directory Traversal:1 [1447] HTTP: SurgeLDAP 1.0g Web Service user.cgi Directory Traversal:2 [1448] RSYNC: Checksum Heap Overflow:1 [1449] BACKDOOR: NetTrash/WinRAT/Oxon:1 [1450] BACKDOOR: NetTrash/WinRAT/Oxon:2 [1451] HTTP: PHPBB Admin Authentication Bypass:1 [1452] HTTP: PHPBB Admin Authentication Bypass:2 [1453] FINGER: FingerD Information Disclosure:1 [1454] TCP: TCP Header Abnormally Small:1 [1455] BACKDOOR: Satan's BackDoor Trojan:1 [1456] BACKDOOR: Satan's BackDoor Trojan:2 [1457] MSSQL: xp_displayparamstmt Possible Buffer Overflow:1 [1458] MSSQL: xp_displayparamstmt Possible Buffer Overflow:2 [1459] HTTP: WebSpeed Sensitive Info Disclosure:1 [1460] HTTP: WebSpeed Sensitive Info Disclosure:2 [1461] DNS: SIG Buffer Overflow:1 [1462] DNS: SIG Buffer Overflow:2 [1463] HTTP: FUDforum Script Exploit:1 [1464] HTTP: FUDforum Script Exploit:2 [1465] HTTP: FUDforum Script Exploit:3 [1466] BACKDOOR: Mneah:1 [1467] BACKDOOR: Mneah:2 [1468] SSL: Microsoft ASN.1 Double Free Code Execution:1 [1469] BACKDOOR: Windows Command Shell Running:1 [1470] BACKDOOR: Windows Command Shell Running:2 [1471] BACKDOOR: Windows Command Shell Running:3 [1472] BACKDOOR: Windows Command Shell Running:4 [1473] BACKDOOR: Windows Command Shell Running:5 [1474] FTP: Serv-U MDTM Buffer Overflow:1 [1475] FTP: Serv-U MDTM Buffer Overflow:2 [1476] MSSQL: Microsoft Data Access Components Buffer Overflow:1 [1477] MSSQL: Microsoft Data Access Components Buffer Overflow:2 [1478] MSSQL: Microsoft Data Access Components Buffer Overflow:3 [1479] MSSQL: Microsoft Data Access Components Buffer Overflow:4 [1480] MSSQL: Microsoft Data Access Components Buffer Overflow:5 [1481] HTTP: Convert.bas Retrieval Files:1 [1482] HTTP: Convert.bas Retrieval Files:2 [1483] ORACLE: Web Listener Batch File Vulnerability:1 [1484] SNMP: Empty UDP Attack DoS:1 [1485] TCP: TCP Fragments Overlap with Data Mismatch:1 [1486] SMTP: Microsoft Exchange XEXCH50 Heap Overflow:1 [1487] SMTP: Microsoft Exchange XEXCH50 Heap Overflow:2 [1488] FINGER: Ffingerd User:1 [1489] HTTP: nph-test-cgi Browse File System:1 [1490] HTTP: nph-test-cgi Browse File System:2 [1491] BACKDOOR: Remote Storm:1 [1492] BACKDOOR: Remote Storm:2 [1493] HTTP: ColdFusion CFCACHE Vulnerability:1 [1494] HTTP: ColdFusion CFCACHE Vulnerability:2 [1495] SSL: Apache SSL Slapper Worm:1 [1496] SSL: Apache SSL Slapper Worm:2 [1497] SSL: Apache SSL Slapper Worm:3 [1498] SSL: Apache SSL Slapper Worm:4 [1499] SSL: Apache SSL Slapper Worm:5 [1500] BACKDOOR: Hellz Addiction:1 [1501] BACKDOOR: Theef Trojan:1 [1502] BACKDOOR: Theef Trojan:2 [1503] BACKDOOR: Theef Trojan:3 [1504] FTP: Generic Format String Attack:1 [1505] FTP: Generic Format String Attack:2 [1506] FTP: Generic Format String Attack:3 [1507] FTP: Generic Format String Attack:4 [1508] HTTP: wguest.exe Input Validation:1 [1509] HTTP: wguest.exe Input Validation:2 [1510] SOCKS: SOCKS Server Running on Non-Standard Port:1 [1511] SOCKS: SOCKS Server Running on Non-Standard Port:2 [1512] SOCKS: SOCKS Server Running on Non-Standard Port:3 [1513] SOCKS: SOCKS Server Running on Non-Standard Port:4 [1514] DNS: IQUERY Buffer Overflow:1 [1515] DNS: IQUERY Buffer Overflow:2 [1516] DNS: IQUERY Buffer Overflow:3 [1517] DNS: IQUERY Buffer Overflow:4 [1518] DNS: IQUERY Buffer Overflow:5 [1519] BACKDOOR: Schneckenkorn:1 [1520] HTTP: ocPortal Arbitrary File Inclusion Vulnerability:1 [1521] SMTP: VirusWall SMTP HELO Buffer Overflow:1 [1522] HTTP: Request Parameters Overly Long with Shellcode Detected:2 [1523] HTTP: Request Parameters Overly Long with Shellcode Detected:3 [1524] BACKDOOR: Konik:1 [1525] MSSQL: xp_deleteprivatequeue Possible Buffer Overflow:1 [1526] MSSQL: xp_deleteprivatequeue Possible Buffer Overflow:2 [1527] HTTP: Microsoft IIS Alternator Data Streams Source Disclosure:1 [1528] HTTP: Microsoft IIS Alternator Data Streams Source Disclosure:2 [1529] SNMP: System.sysName.0 Bufferoverflow:1 [1530] SNMP: System.sysName.0 Bufferoverflow:2 [1531] SNMP: System.sysName.0 Bufferoverflow:3 [1532] WORM: W32/Mydoom.bc@MM Worm:1 [1533] WORM: W32/Mydoom.bc@MM Worm:2 [1534] WORM: W32/Mydoom.bc@MM Worm:3 [1535] WORM: W32/Mydoom.bc@MM Worm:4 [1536] WORM: W32/Mydoom.bc@MM Worm:5 [1537] WORM: W32/Mydoom.bc@MM Worm:6 [1538] TELNET: User Local Exploit Attempt:1 [1539] BACKDOOR: Ullysse:1 [1540] HTTP: Sybase EAServer TreeAction.do Buffer Overflow:1 [1541] HTTP: Sybase EAServer TreeAction.do Buffer Overflow:2 [1542] DoS: SynDrop Attack:1 [1543] HTTP: Apache Tomcat Servlet Mapping Cross Site Scripting:1 [1544] HTTP: Apache Tomcat Servlet Mapping Cross Site Scripting:2 [1545] HTTP: Weblogic File Source Read:1 [1546] HTTP: Weblogic File Source Read:2 [1547] NETBIOS-SS: Samba File Creation:1 [1548] NETBIOS-SS: Samba File Creation:2 [1549] BOT: RxBot/SDBot/UrxBot Worm IRC Activity:1 [1550] BOT: RxBot/SDBot/UrxBot Worm IRC Activity:2 [1551] BOT: RxBot/SDBot/UrxBot Worm IRC Activity:3 [1552] BOT: RxBot/SDBot/UrxBot Worm IRC Activity:4 [1553] BOT: RxBot/SDBot/UrxBot Worm IRC Activity:5 [1554] BOT: RxBot/SDBot/UrxBot Worm IRC Activity:6 [1555] HTTP: Netscape PageServices Directory Listing:1 [1556] HTTP: Netscape PageServices Directory Listing:2 [1557] RPC: Portmap Set Request:1 [1558] RPC: Portmap Set Request:2 [1559] MSSQL: Xp_unpackcab Possible Buffer Overflow:1 [1560] MSSQL: Xp_unpackcab Possible Buffer Overflow:2 [1561] ORACLE: Oracle 10g iSQLPLus Service heap overflow:1 [1562] ORACLE: Oracle 10g iSQLPLus Service heap overflow:2 [1563] CA: BrightStor ARCserve Backup Universal Agent Buffer Overflow:1 [1564] IRC: Fujitsu CHOCOA Buffer Overflow:1 [1565] RLOGIN: Trusted Account Attempt:1 [1566] HTTP: Linksys DoS Vulnerability:1 [1567] HTTP: Linksys DoS Vulnerability:2 [1568] BOOTP: Buffer Overflow Exploit:1 [1569] BOOTP: Buffer Overflow Exploit:2 [1570] BOOTP: Buffer Overflow Exploit:3 [1571] BACKDOOR: Pitfall:1 [1572] BACKDOOR: Pitfall:2 [1573] HTTP: Apache Win32 PHP.EXE Remote File Disclosure:1 [1574] HTTP: Apache Win32 PHP.EXE Remote File Disclosure:2 [1575] SMTP: Sendmail Invalid mail from Exploit:1 [1576] HTTP: PHP Includedir Include Code Execution:1 [1577] HTTP: PHP Includedir Include Code Execution:2 [1578] BACKDOOR: DTr:1 [1579] H.225: Microsoft ISA Server Destination Address Email Buffer Overflow:1 [1580] BACKDOOR: Y3K RAT:1 [1581] BACKDOOR: Y3K RAT:2 [1582] BACKDOOR: Y3K RAT:3 [1583] BACKDOOR: Y3K RAT:4 [1584] FTP: PIPE Vulnerability:1 [1585] MSSQL: Xp_updatecolvbm Possible Buffer Overflow:1 [1586] MSSQL: Xp_updatecolvbm Possible Buffer Overflow:2 [1587] HTTP: ScriptAlias Retrieve Information:1 [1588] HTTP: ScriptAlias Retrieve Information:2 [1589] ORACLE: XDB Buffer Overflow:1 [1590] ORACLE: XDB Buffer Overflow:2 [1591] ORACLE: XDB Buffer Overflow:3 [1592] WORM: W32/Bagle.ad@MM Worm:1 [1593] WORM: W32/Bagle.ad@MM Worm:2 [1594] WORM: W32/Bagle.ad@MM Worm:3 [1595] WORM: W32/Bagle.ad@MM Worm:4 [1596] WORM: W32/Bagle.ad@MM Worm:5 [1597] WORM: W32/Bagle.ad@MM Worm:6 [1598] HTTP: phpBB Viewtopic.php Remote Command Execution:1 [1599] HTTP: phpBB Viewtopic.php Remote Command Execution:2 [1600] MySQL: Version 4.1 and 5.0 Authentication Bypass:1 [1601] BACKDOOR: R0Xr4t:1 [1602] BACKDOOR: R0Xr4t:2 [1603] HTTP: HTTP Request Smuggling Attack:1 [1604] HTTP: HTTP Request Smuggling Attack:2 [1605] HTTP: HTTP Request Smuggling Attack:3 [1606] HTTP: HTTP Request Smuggling Attack:4 [1607] HTTP: HTTP Request Smuggling Attack:5 [1608] HTTP: Format String Detected in URI Path:1 [1609] HTTP: Format String Detected in URI Path:2 [1610] HTTP: Format String Detected in URI Path:3 [1611] SMTP: Microsoft Msdds.dll Memory Corruption:1 [1612] SSL: Bad State Transition:1 [1613] SENSOR: Attack Marker Resources Exhausted:1 [1614] HTTP: DCForum GetAdmin Attempt:1 [1615] HTTP: DCForum GetAdmin Attempt:2 [1616] RPC: TTDBServerD Solaris LSD Buffer Overflow:1 [1617] RPC: TTDBServerD Solaris LSD Buffer Overflow:2 [1618] MSSQL: xp_repl_encrypt Possible Buffer Overflow:1 [1619] MSSQL: xp_repl_encrypt Possible Buffer Overflow:2 [1620] ORACLE: 8i TNS Listener Buffer Overflow:1 [1621] ORACLE: 8i TNS Listener Buffer Overflow:2 [1622] TELNET: System V Derived Login Buffer Overflow:1 [1623] TELNET: System V Derived Login Buffer Overflow:2 [1624] TELNET: System V Derived Login Buffer Overflow:3 [1625] SMB: Microsoft MS05-027 SMB Buffer Overflow:1 [1626] HTTP: IIS HTR Chunk Encoding Heap Overflow:1 [1627] HTTP: IIS HTR Chunk Encoding Heap Overflow:2 [1628] IDENT: Invalid IDENT Flow:1 [1629] IDENT: Invalid IDENT Flow:2 [1630] IDENT: Invalid IDENT Flow:3 [1631] IDENT: Invalid IDENT Flow:4 [1632] HTTP: Mambo Site Server PHPSESSID Exploit:1 [1633] HTTP: Mambo Site Server PHPSESSID Exploit:2 [1634] BACKDOOR: Basic Hell:1 [1635] BACKDOOR: Glacier:1 [1636] NMAP: XMAS Probe:1 [1637] HTTP: whois_raw.cgi Run Command:1 [1638] HTTP: whois_raw.cgi Run Command:2 [1639] ORACLE: Application Server Default Page showdetails:1 [1640] TELNET: Sun Telnet Daemon Denial of Service:2 [1641] BACKDOOR: Nirvana:1 [1642] BACKDOOR: Nirvana:2 [1643] BACKDOOR: Nirvana:3 [1644] BACKDOOR: NetSphere Trojan:1 [1645] BACKDOOR: NetSphere Trojan:2 [1646] HTTP: InfoSearch Run Command:1 [1647] HTTP: InfoSearch Run Command:2 [1648] SNMP: Invalid Trap Agent Address:1 [1649] TELNET: Login Brute Force:1 [1650] DNS: Information Leak:1 [1651] HTTP: Mantis Configuration Remote File Include Exploit:1 [1652] HTTP: Mantis Configuration Remote File Include Exploit:2 [1653] HTTP: Mantis Configuration Remote File Include Exploit:3 [1654] WINS: Long Name Buffer Overflow:1 [1655] SMTP: Microsoft SMTP Service Encapsulated Address Exploit:1 [1656] SSL: NSS Heap Overflow:1 [1657] BACKDOOR: Net Administrator:1 [1658] BACKDOOR: Net Administrator:2 [1659] BACKDOOR: Net Administrator:3 [1660] IM: AOL Instant Messenger (or ICQ) Alive:1 [1661] IM: AOL Instant Messenger (or ICQ) Alive:2 [1662] IM: AOL Instant Messenger (or ICQ) Alive:5 [1663] IM: AOL Instant Messenger (or ICQ) Alive:6 [1664] IM: AOL Instant Messenger (or ICQ) Alive:7 [1665] SCAN: WebTrends Scanner UDP Probe:1 [1666] HTTP: Handler Execute Command Attempt:1 [1667] HTTP: Handler Execute Command Attempt:2 [1668] ORACLE: 9i Application Server PL/SQL Apache Module Directory Traversal Vulnerability:1 [1669] SNMP: PROTOS Test Suite Format String DoS:1 [1670] SNMP: PROTOS Test Suite Format String DoS:2 [1671] SNMP: PROTOS Test Suite Format String DoS:3 [1672] SNMP: PROTOS Test Suite Format String DoS:4 [1673] NNTP: XPAT Parameter Overflow:1 [1674] HTTP: PHPix Gallery Remote Command Execution:1 [1675] HTTP: PHPix Gallery Remote Command Execution:2 [1676] IMAP: Overly Long STATUS Command Parameter:1 [1677] HTTP: Allaire JRun JSP Execute:1 [1678] HTTP: Allaire JRun JSP Execute:2 [1679] SMTP: PINE Message Parsing Integer Overflow:1 [1680] FINGER: Redirection Attempt:1 [1681] FINGER: Redirection Attempt:2 [1682] TELNET: IRIX Telnetd RLD Format String Vunerability:1 [1683] TELNET: IRIX Telnetd RLD Format String Vunerability:2 [1684] ARKEIA: Knox Arkeia Request Message Buffer Overflow:1 [1685] ARKEIA: Knox Arkeia Request Message Buffer Overflow:2 [1686] SSL: Certificate Microsoft ASN.1 Length Encoding Error:1 [1687] BACKDOOR: Infra/Le guardien:1 [1688] BACKDOOR: Infra/Le guardien:2 [1689] BACKDOOR: Back Orifice Trojan:1 [1690] BACKDOOR: Back Orifice Trojan:2 [1691] BACKDOOR: Back Orifice Trojan:3 [1692] BACKDOOR: Back Orifice Trojan:4 [1693] BACKDOOR: Back Orifice Trojan:5 [1694] BACKDOOR: Back Orifice Trojan:7 [1695] BACKDOOR: Back Orifice Trojan:8 [1696] FTP: Unix Command Shell Running:1 [1697] FTP: Unix Command Shell Running:2 [1698] FTP: Unix Command Shell Running:3 [1699] HTTP: Expression Calculator Input Validation:1 [1700] HTTP: Expression Calculator Input Validation:2 [1701] HTTP: Expression Calculator Input Validation:4 [1702] HTTP: Expression Calculator Input Validation:3 [1703] HTTP: Expression Calculator Input Validation:5 [1704] HTTP: Expression Calculator Input Validation:6 [1705] POP3: Buffer Overflow Attempt With XTND Command Parameters:1 [1706] WORM: W32/Sober.j@MM Worm:1 [1707] WORM: W32/Sober.j@MM Worm:2 [1708] WORM: W32/Sober.j@MM Worm:3 [1709] WORM: W32/Sober.j@MM Worm:4 [1710] WORM: W32/Sober.j@MM Worm:5 [1711] WORM: W32/Sober.j@MM Worm:6 [1712] WORM: W32/Sober.j@MM Worm:7 [1713] WORM: W32/Sober.j@MM Worm:8 [1714] WORM: W32/Sober.j@MM Worm:9 [1715] WORM: W32/Sober.j@MM Worm:10 [1716] WORM: W32/Sober.j@MM Worm:11 [1717] WORM: W32/Sober.j@MM Worm:12 [1718] HTTP: CGI nlog Exploit:1 [1719] HTTP: CGI nlog Exploit:2 [1720] SMTP: Sendmail Prescan Overflow:1 [1721] BACKDOOR: M2 Trojan:1 [1722] HTTP: IIS iisadmpwd Proxied Password Attack Attempt:1 [1723] HTTP: IIS iisadmpwd Proxied Password Attack Attempt:2 [1724] POP3: Buffer Overflow Attempt With PASS Parameters Attack:1 [1725] DoS: Ping-of-Death Attack:1 [1726] HTTP: Selena Sol Webstore Order Log Exposure:1 [1727] HTTP: Selena Sol Webstore Order Log Exposure:2 [1728] NETBIOS-SS: Windows DDN DoS:1 [1729] HTTP: Foxweb 2.5 Buffer Overflow:1 [1730] HTTP: Foxweb 2.5 Buffer Overflow:2 [1731] HTTP: Foxweb 2.5 Buffer Overflow:3 [1732] BOT: IRC SCAN Activity:1 [1733] BOT: IRC SCAN Activity:2 [1734] BACKDOOR: Danton:1 [1735] FTP: Pwd Format String:1 [1736] FTP: Pwd Format String:2 [1737] HTTP: FormMail Execute Arbitrary Command:1 [1738] HTTP: FormMail Execute Arbitrary Command:2 [1739] HTTP: FormMail Execute Arbitrary Command:3 [1740] POP3: IRIX popd Buffer Overflow:1 [1741] POP3: IRIX popd Buffer Overflow:2 [1742] WORM: W32/Zafi.b@MM Worm:1 [1743] WORM: W32/Zafi.b@MM Worm:2 [1744] WORM: W32/Zafi.b@MM Worm:3 [1745] SENSOR: Invalid Quote Encoding:1 [1746] HTTP: Jason Maloney's CGI Guestbook Command Execution:1 [1747] HTTP: Jason Maloney's CGI Guestbook Command Execution:2 [1748] BACKDOOR: F-Backdoor:1 [1749] H.225: PROTO Destination Address Sequence Anomaly:1 [1750] FTP: Firewall State Table Corruption Expliot:1 [1751] HTTP: Interpreter Access Attempt:1 [1752] HTTP: Interpreter Access Attempt:2 [1753] Oracle: SQL Query Directory Traversal Vulnerability:1 [1754] WORM: W32/Bagle.ai@MM Worm:1 [1755] WORM: W32/Bagle.ai@MM Worm:2 [1756] WORM: W32/Bagle.ai@MM Worm:3 [1757] MySQL: Create Function Arbitrary Code Execution:1 [1758] MySQL: Create Function Arbitrary Code Execution:2 [1759] BACKDOOR: Remote Boot Tool:1 [1760] BACKDOOR: Remote Boot Tool:2 [1761] IMAP: Buffer Overflow With Overly Long UNSUBSCRIBE Command Parameters:1 [1762] NETBIOS-SS: Microsoft Indexing Service Query Handling Buffer Overflow:1 [1763] HTTP: ColdFusion viewexample.cfm File Disclosure:1 [1764] HTTP: ColdFusion viewexample.cfm File Disclosure:2 [1765] HTTP: ColdFusion viewexample.cfm File Disclosure:3 [1766] SSL: Connections Exhausted:1 [1767] BACKDOOR: AOL Admin:1 [1768] BACKDOOR: AOL Admin:2 [1769] DDoS: Trin00 Daemon-to-Master (PONG):1 [1770] MSSQL: xp_sqlinventory Possible Buffer Overflow:1 [1771] MSSQL: xp_sqlinventory Possible Buffer Overflow:2 [1772] WORM: W32/Netsky.d@MM Worm:1 [1773] TELNET: Buffer Overflow Attempt Detected in User Login:1 [1774] TELNET: Buffer Overflow Attempt Detected in User Login:2 [1775] TELNET: Buffer Overflow Attempt Detected in User Login:3 [1776] TELNET: Buffer Overflow Attempt Detected in User Login:4 [1777] TELNET: Buffer Overflow Attempt Detected in User Login:5 [1778] TELNET: Buffer Overflow Attempt Detected in User Login:6 [1779] HTTP: IIS 5.0 In-Process Table Privilege Escalation:1 [1780] HTTP: IIS 5.0 In-Process Table Privilege Escalation:2 [1781] SMTP: Buffer Overflow Attempt with Overly Long EXPN Parameters:1 [1782] HTTP: Poster.version:two Setup Vulnerability:1 [1783] HTTP: Poster.version:two Setup Vulnerability:2 [1784] P2P: SoftEther Alive:1 [1785] P2P: SoftEther Alive:2 [1786] P2P: SoftEther Alive:3 [1787] P2P: SoftEther Alive:5 [1788] BACKDOOR: Bla:2 [1789] RPC: SADMIND Generic Length Buffer Overflow:1 [1790] HTTP: IIS3 ASP Dot Bug:1 [1791] HTTP: IIS3 ASP Dot Bug:2 [1792] ORACLE: ISQLPLUS Buffer Overflow Vulnerability:1 [1793] ORACLE: ISQLPLUS Buffer Overflow Vulnerability:2 [1794] ORACLE: ISQLPLUS Buffer Overflow Vulnerability:3 [1795] HTTP: aglimpse Run Arbitrary Commands:1 [1796] HTTP: aglimpse Run Arbitrary Commands:2 [1797] ICMP: Nachi Ping:1 [1798] POP3: Vpop3 Buffer Overflow:1 [1799] POP3: Vpop3 Buffer Overflow:2 [1800] POP3: Vpop3 Buffer Overflow:3 [1801] WORM: W32/Sober.f@MM Worm:1 [1802] WORM: W32/Sober.f@MM Worm:2 [1803] WORM: W32/Sober.f@MM Worm:3 [1804] WORM: W32/Sober.f@MM Worm:4 [1805] WORM: W32/Sober.f@MM Worm:5 [1806] WORM: W32/Sober.f@MM Worm:6 [1807] TELNET: Windows 2000 Telnetd NTLM Information Leak Vulnerability:1 [1808] BACKDOOR: Osiris:1 [1809] NETBIOS-SS: Windows XP Shell Buffer Overflow:1 [1810] NETBIOS-SS: Windows XP Shell Buffer Overflow:2 [1811] SMTP: Foxmail From: Field Buffer Overflow:1 [1812] IM: AOL Link Special Character Remote Heap Overflow:1 [1813] RPC: NIS Generic Length Buffer Overflow:1 [1814] MSSQL: Xp_reg* Registry Access:1 [1815] MSSQL: Xp_reg* Registry Access:2 [1816] SNMP: Invalid Version Detected:1 [1817] SSH: OpenSSH Challenge-Response Buffer Overflow:1 [1818] SSH: OpenSSH Challenge-Response Buffer Overflow:2 [1819] SSH: OpenSSH Challenge-Response Buffer Overflow:3 [1820] SSH: OpenSSH Challenge-Response Buffer Overflow:4 [1821] HTTP: iPlanet Search Buffer Overflow:1 [1822] HTTP: iPlanet Search Buffer Overflow:2 [1823] SMTP: Pine From: Field Heap Corruption:1 [1824] HTTP: Mnogosearch Buffer Overflow:1 [1825] HTTP: Mnogosearch Buffer Overflow:2 [1826] BACKDOOR: Secret Service/Hell Driver:1 [1827] BACKDOOR: Secret Service/Hell Driver:2 [1828] DDoS: TFN2k ICMP Possible Communication:1 [1829] ORACLE: 9iAS Apache PL/SQL Module Multiple Buffer Overflows:1 [1830] ORACLE: 9iAS Apache PL/SQL Module Multiple Buffer Overflows:2 [1831] ORACLE: 9iAS Apache PL/SQL Module Multiple Buffer Overflows:3 [1832] HTTP: Phorum code.php3 View File:1 [1833] HTTP: Phorum code.php3 View File:2 [1834] WORM: W32/Mydoom@MM Worm:1 [1835] WORM: W32/Mydoom@MM Worm:2 [1836] WORM: W32/Mydoom@MM Worm:3 [1837] WORM: W32/Mydoom@MM Worm:4 [1838] WORM: W32/Mydoom@MM Worm:5 [1839] WORM: W32/Mydoom@MM Worm:6 [1840] HTTP: Cart32 cart32clientlist Information Disclosure:1 [1841] HTTP: Cart32 cart32clientlist Information Disclosure:2 [1842] FINGER: FingerD Global File Access Attempt:1 [1843] P2P: eDonkey File Transferring:1 [1844] P2P: eDonkey File Transferring:2 [1845] P2P: eDonkey File Transferring:3 [1846] RTSP: Novell BorderManager RTSP Proxy DoS:1 [1847] TELNET: Generic Telnetd Telrcv() Buffer Overflow Attack:1 [1848] TELNET: Generic Telnetd Telrcv() Buffer Overflow Attack:2 [1849] TELNET: Generic Telnetd Telrcv() Buffer Overflow Attack:3 [1850] HTTP: WebDAV Large Body DoS:1 [1851] HTTP: WebDAV Large Body DoS:2 [1852] BACKDOOR: Hack'a'Tack Trojan:1 [1853] BACKDOOR: Hack'a'Tack Trojan:2 [1854] FTP: wu-ftpd SITE NEWER Command DoS:1 [1855] WORM: W32/Sober.k@MM Worm:1 [1856] WORM: W32/Sober.k@MM Worm:2 [1857] WORM: W32/Sober.k@MM Worm:3 [1858] BACKDOOR: Michal:1 [1859] P2P: KaZaA Client Connected to Server:1 [1860] P2P: KaZaA Client Connected to Server:2 [1861] P2P: KaZaA Client Connected to Server:3 [1862] P2P: KaZaA Client Connected to Server:4 [1863] FTP: Broker Ftpd Vulnerability:1 [1864] FTP: Broker Ftpd Vulnerability:2 [1865] FTP: Broker Ftpd Vulnerability:3 [1866] FTP: Broker Ftpd Vulnerability:4 [1867] HTTP: IPlanet Shtml Exploit:1 [1868] HTTP: IPlanet Shtml Exploit:2 [1869] HTTP: IPlanet Shtml Exploit:3 [1870] REXEC: User Name Too Long:1 [1871] REXEC: User Name Too Long:2 [1872] HTTP: IIS Multiple Sample ASP Script View File Attempt:1 [1873] HTTP: IIS Multiple Sample ASP Script View File Attempt:2 [1874] HTTP: IIS Multiple Sample ASP Script View File Attempt:3 [1875] SNMP: 3Com SuperStack Community String Leak:1 [1876] TFTP: Wvtftp Remote Heap Overflow:1 [1877] MSRPC: Windows Locator Service Buffer Overflow:1 [1878] NETBIOS-SS: Windows 2000 ADMIN$ Access:1 [1879] HTTP: BOOZT! Index.cgi Buffer Overflow:1 [1880] HTTP: BOOZT! Index.cgi Buffer Overflow:2 [1881] HTTP: BOOZT! Index.cgi Buffer Overflow:3 [1882] BACKDOOR: Drat:1 [1883] FTP: WU-FTP 2.6.0 Buffer Overflow:1 [1884] FTP: WU-FTP 2.6.0 Buffer Overflow:2 [1885] FTP: WU-FTP 2.6.0 Buffer Overflow:3 [1886] FTP: WU-FTP 2.6.0 Buffer Overflow:4 [1887] DDoS: Shaft Handler-to-Agent Communication:1 [1888] WORM: W32/Netsky.s@MM Worm:1 [1889] WORM: W32/Netsky.s@MM Worm:2 [1890] WORM: W32/Netsky.s@MM Worm:3 [1891] DHCP: Option Suspiciously Long:1 [1892] DHCP: Option Suspiciously Long:2 [1893] RADIUS: Message Digest Calculation Buffer Overflow:1 [1894] SHELLCODE: Shellcode Detected for MIPS Family CPUs:1 [1895] SHELLCODE: Shellcode Detected for MIPS Family CPUs:2 [1896] SMTP: Friend Greeting Worm Email:1 [1897] HTTP: Mdaemon Mail Server FORM2RAW.exe Buffer Overflow:1 [1898] HTTP: Mdaemon Mail Server FORM2RAW.exe Buffer Overflow:2 [1899] BACKDOOR: GiFt:1 [1900] DCERPC: W32/Gaobot.worm Detected:1 [1901] DCERPC: W32/Gaobot.worm Detected:2 [1902] FTP: WU-FTPD Linux Buffer Overflow:1 [1903] FTP: WU-FTPD Linux Buffer Overflow:2 [1904] FTP: WU-FTPD Linux Buffer Overflow:3 [1905] RSH: Login Failed:1 [1906] POP3: Buffer Overflow Attempt with UIDL Parameters:1 [1907] WORM: W32/Mydoom.s@MM Worm:1 [1908] WORM: W32/Mydoom.s@MM Worm:2 [1909] WORM: W32/Mydoom.s@MM Worm:3 [1910] IMAP: Buffer Overflow Attempt with APPEND Command Parameters:1 [1911] SMB: Microsoft SMB Client Transaction2 FirstFind2 Dos:1 [1912] SMB: Microsoft SMB Client Transaction2 FirstFind2 Dos:2 [1913] SSL: Unsupported or Unknown Cipher:1 [1914] SSL: Unsupported or Unknown Cipher:2 [1915] SMTP: Long RCPT Params with Shellcode Attack:1 [1916] BACKDOOR: Backage:1 [1917] BACKDOOR: Backage:2 [1918] DCERPC: Microsoft TAPI Service Buffer Overflow:1 [1919] DDoS: Trin00 Attacker-to-Master Default mdie Password:1 [1920] FTP: Ftpd ISS Scan:1 [1921] HTTP: L3 Retriever Probe:1 [1922] POP3: Qpop241 Buffer Overflow:1 [1923] TELNET: User Root Activity:1 [1924] TELNET: User Root Activity:2 [1925] TFTP: Nimda Worm Attack:1 [1926] WORM: W32/Bagle.k@MM Worm:1 [1927] WORM: W32/Bagle.k@MM Worm:2 [1928] WORM: W32/Bagle.k@MM Worm:3 [1929] RPC: STATD SMMON Generic Length Buffer Overflow:1 [1930] IGMP: Fragmented IGMP Packet Attack:1 [1931] WORM: W32/Bagle.z@MM Worm:1 [1932] WORM: W32/Bagle.z@MM Worm:2 [1933] WORM: W32/Bagle.z@MM Worm:3 [1934] IMAP: LIST Command Parameter Buffer Overflow Attempt:1 [1935] SMB: Samba reply_ntrans2 Buffer Overflow:1 [1936] SMTP: Avirt Mail Server Directory Creation:1 [1937] NETBIOS-NS: Symantec Firewall NBNS Response Heap Overflow:1 [1938] HTTP: IIS ASP Server Side Buffer Overflow:2 [1939] HTTP: IIS ASP Server Side Buffer Overflow:3 [1940] P2P: Groove Virtual Office Groove.Net Agent Detected:1 [1941] P2P: Groove Virtual Office Groove.Net Agent Detected:2 [1942] P2P: Groove Virtual Office Groove.Net Agent Detected:3 [1943] RPC: SADMIND Weak Authentication Vulnerability:1 [1944] RPC: SADMIND Weak Authentication Vulnerability:2 [1945] RPC: SADMIND Weak Authentication Vulnerability:3 [1946] RPC: SADMIND Weak Authentication Vulnerability:4 [1947] FTP: Stor .rhosts Attempt:1 [1948] SIP: GNU oSIP URI Parsing Heap Overflow:1 [1949] SIP: GNU oSIP URI Parsing Heap Overflow:2 [1950] BACKDOOR: Schwindler:1 [1951] NETBIOS-SS: MS Explorer and IE Long Share Name Buffer Overflow:1 [1952] SYBASE: Login Failed:1 [1953] SMTP: Buffer Overflow Attemtped with Overly Long SAML/SOML Parameters:1 [1954] HTTP: Wordpress PHP File Include Vulnerability:1 [1955] NFS: SunOS Large UID Mismatch:1 [1956] NFS: SunOS Large UID Mismatch:2 [1957] ARP: ARP Spoofing Detected:1 [1958] P2P: XoloX Alive:1 [1959] P2P: XoloX Alive:2 [1960] BACKDOOR: libpcap and tcpdump Trojan:1 [1961] BACKDOOR: libpcap and tcpdump Trojan:2 [1962] MSSQL: OpenRowSet Possible Buffer Overflow:1 [1963] MSSQL: OpenRowSet Possible Buffer Overflow:2 [1964] DDoS: Stacheldraht Agent-response-gag:1 [1965] HTTP: Apache Chunked Encoding Exploit:1 [1966] HTTP: Apache Chunked Encoding Exploit:2 [1967] HTTP: Apache Chunked Encoding Exploit:3 [1968] HTTP: Apache Chunked Encoding Exploit:4 [1969] HTTP: Snork Probe:1 [1970] HTTP: Snork Probe:2 [1971] WORM: W32/Netsky.b@MM Worm:1 [1972] WORM: W32/Netsky.b@MM Worm:2 [1973] WORM: W32/Netsky.b@MM Worm:3 [1974] WORM: W32/Netsky.b@MM Worm:4 [1975] WORM: W32/Netsky.b@MM Worm:5 [1976] WORM: W32/Netsky.b@MM Worm:6 [1977] BACKDOOR: Net Metropolitan:1 [1978] MSRPC: Malformed LSARPC LookupName DoS:1 [1979] SMTP: McAfee WebShield SMTP Invalid Outgoing Recipient Field DoS:1 [1980] IM: AOL Messenger Server Lookup:1 [1981] IM: MSN (.NET) Messenger File Transfer:1 [1982] IM: MSN (.NET) Messenger File Transfer:2 [1983] IM: MSN (.NET) Messenger File Transfer:3 [1984] RTSP: Darwin Streaming Server Integer Overflow:1 [1985] HTTP: Allaire JRun WEB-INF Disclosure:1 [1986] HTTP: Allaire JRun WEB-INF Disclosure:2 [1987] HTTP: Allaire JRun WEB-INF Disclosure:3 [1988] HTTP: Allaire JRun WEB-INF Disclosure:4 [1989] TELNET: Livingston DoS:1 [1990] FTP: Overly Long UNLOCK Command Parameters with Shellcode:2 [1991] NETBIOS-SS: Copy Executable File Attempt:1 [1992] NETBIOS-SS: Copy Executable File Attempt:2 [1993] RADIUS: FreeRADIUS Heap Corruption DoS:1 [1994] SMTP: Sendmail ETRN DoS:1 [1995] HTTP: Textportal Default Editor Password:1 [1996] HTTP: Textportal Default Editor Password:2 [1997] FTP: WFTPD Buffer Overflow Vulnerability:1 [1998] FTP: WFTPD Buffer Overflow Vulnerability:2 [1999] HTTP: ESdotOne Input Validation Error:1 [2000] HTTP: ESdotOne Input Validation Error:2 [2001] BACKDOOR: War Trojan:1 [2002] SMTP: Incorrect MIME Header with Executable Attachment Found:1 [2003] UPnP: SSDP Denial of Service Attack:1 [2004] BACKDOOR: Bugs:1 [2005] BACKDOOR: Bugs:2 [2006] P2P: Gnucleus Alive:1 [2007] P2P: Gnucleus Alive:2 [2008] P2P: Gnucleus Alive:3 [2009] P2P: Gnucleus Alive:4 [2010] KERBEROS: Non-Kerberos Traffic Detected:1 [2011] HTTP: Nimda Worm - IIS Extended Unicode Directory Traversal Attack:1 [2012] HTTP: Nimda Worm - IIS Extended Unicode Directory Traversal Attack:2 [2013] IRC: Trillian JOIN Buffer Overflow:1 [2014] MSRPC: NT RASMAN Pathname Registry Exploit:1 [2015] HTTP: BadBlue Unencrypted Password File Read Attempt:1 [2016] HTTP: BadBlue Unencrypted Password File Read Attempt:2 [2017] HTTP: Vibechild Directory Manager Command Execution:1 [2018] HTTP: Vibechild Directory Manager Command Execution:2 [2019] BACKDOOR: ICMP Chat:1 [2020] RPC: CMSD SolarisX86 Cmsdex Buffer Overflow:1 [2021] RPC: CMSD SolarisX86 Cmsdex Buffer Overflow:2 [2022] DDoS: mstream Handler-to-Agent Communication:1 [2023] BACKDOOR: Scarab:1 [2024] HTTP: Mercantec SoftCart CGI Overflow:1 [2025] HTTP: Mercantec SoftCart CGI Overflow:2 [2026] HTTP: Mercantec SoftCart CGI Overflow:3 [2027] IMAP: Buffer Overflow with Overly Long RENAME Command Parameters:1 [2028] BACKDOOR: Progenic:1 [2029] RPC: STATD UNMONALL Buffer Overflow:1 [2030] RPC: STATD UNMONALL Buffer Overflow:2 [2031] RPC: STATD UNMONALL Buffer Overflow:3 [2032] DCERPC: Microsoft Windows NETDDE Buffer Overflow:1 [2033] DCERPC: Microsoft Windows NETDDE Buffer Overflow:2 [2034] DCERPC: Microsoft Windows NETDDE Buffer Overflow:3 [2035] DCERPC: Microsoft Windows NETDDE Buffer Overflow:4 [2036] DCERPC: Microsoft Windows NETDDE Buffer Overflow:5 [2037] MSSQL: xp_deletequeue Possible Buffer Overflow:1 [2038] MSSQL: xp_deletequeue Possible Buffer Overflow:2 [2039] HTTP: Altavista Search Engine View File:1 [2040] HTTP: Altavista Search Engine View File:2 [2041] RSH: Trusted Account Attempt:1 [2042] POP3: Buffer Overflow Attempt With DELE Parameters:1 [2043] WORM: W32/Bagle.bb@MM Worm:1 [2044] WORM: W32/Bagle.bb@MM Worm:2 [2045] WORM: W32/Bagle.bb@MM Worm:3 [2046] WORM: W32/Bagle.bb@MM Worm:4 [2047] WORM: W32/Bagle.bb@MM Worm:5 [2048] WORM: W32/Bagle.bb@MM Worm:6 [2049] IMAP: Buffer Overflow With Overly Long STOR Command Parameters:1 [2050] HTTP: Merchant Order Form 1.2 Order Log Exposure:1 [2051] HTTP: Merchant Order Form 1.2 Order Log Exposure:2 [2052] BACKDOOR: Syphillis/Syphilis:1 [2053] BACKDOOR: Syphillis/Syphilis:2 [2054] FTP: Ftpd Piss Scan:1 [2055] HTTP: Web+ Read File:1 [2056] HTTP: Web+ Read File:2 [2057] POP3: Qpop3 Xtnd Exploit:1 [2058] SENSOR: Packet Buffers Running Low:1 [2059] SMTP: Possible Virus Attachment File with Double Extension:1 [2060] DoS: Jolt Attack:1 [2061] SNMP: Protocol Anomaly Indefinite Length Encoding 2nd Part:1 [2062] SNMP: Protocol Anomaly Indefinite Length Encoding 2nd Part:2 [2063] SNMP: Protocol Anomaly Indefinite Length Encoding 2nd Part:3 [2064] SNMP: Protocol Anomaly Indefinite Length Encoding 2nd Part:4 [2065] SNMP: Protocol Anomaly Indefinite Length Encoding 2nd Part:5 [2066] SNMP: Protocol Anomaly Indefinite Length Encoding 2nd Part:6 [2067] SNMP: Protocol Anomaly Indefinite Length Encoding 2nd Part:7 [2068] SNMP: Protocol Anomaly Indefinite Length Encoding 2nd Part:8 [2069] POP3: APOP Command Buffer Overflow:1 [2070] POP3: APOP Command Buffer Overflow:3 [2071] TELNET: Cisco 677/678 Buffer Overflow:1 [2072] WORM: W32/Lovgate.ab@MM Worm:1 [2073] WORM: W32/Lovgate.ab@MM Worm:2 [2074] WORM: W32/Lovgate.ab@MM Worm:3 [2075] WORM: W32/Lovgate.ab@MM Worm:4 [2076] WORM: W32/Lovgate.ab@MM Worm:5 [2077] WORM: W32/Lovgate.ab@MM Worm:6 [2078] IMAP: wu-imapd Core File Password Leak:1 [2079] LPR: Mailoption Exploit:1 [2080] SENSOR: Shellcode Detection State Nodes Exhausted:1 [2081] SMTP: Mail Relay Attempt:1 [2082] HTTP: IIS Bdir access:1 [2083] HTTP: IIS Bdir access:2 [2084] DCERPC: Microsoft Messenger Service Buffer Overflow:1 [2085] DCERPC: Microsoft Messenger Service Buffer Overflow:2 [2086] DCERPC: Microsoft Messenger Service Buffer Overflow:3 [2087] BACKDOOR: Devil:1 [2088] BACKDOOR: Devil:2 [2089] BACKDOOR: Devil:3 [2090] BACKDOOR: Devil:4 [2091] BACKDOOR: Devil:5 [2092] SIP: Multiple Buffer Overflow in Cisco SIP Server:1 [2093] SIP: Multiple Buffer Overflow in Cisco SIP Server:2 [2094] SIP: Multiple Buffer Overflow in Cisco SIP Server:3 [2095] BACKDOOR: Meet the Lamer:1 [2096] BACKDOOR: Meet the Lamer:2 [2097] SYBASE: Xp_freedll Command Used:1 [2098] SYBASE: Xp_freedll Command Used:2 [2099] SMTP: DMail Buffer Overflow:1 [2100] SMTP: DMail Buffer Overflow:3 [2101] SMTP: DMail Buffer Overflow:2 [2102] HTTP: PHPBB quick_reply.php Remote File Include Exploit:1 [2103] HTTP: PHPBB quick_reply.php Remote File Include Exploit:2 [2104] AFS: TCPDUMP Buffer Overflow on AFS-ACL:1 [2105] ARP: Broadcast Sender MAC Address:1 [2106] RPC: Automountd Remote Command Execution:1 [2107] RPC: Automountd Remote Command Execution:2 [2108] BACKDOOR: iGLOO:1 [2109] BACKDOOR: iGLOO:2 [2110] BACKDOOR: iGLOO:3 [2111] MSSQL: OpenDataSource Possible Buffer Overflow:1 [2112] MSSQL: OpenDataSource Possible Buffer Overflow:2 [2113] DDoS: TFN Client Command:1 [2114] HTTP: IIS Escape Character Parsing:1 [2115] HTTP: IIS Escape Character Parsing:2 [2116] HTTP: Alibaba Run Arbitrary Commands:1 [2117] HTTP: Alibaba Run Arbitrary Commands:2 [2118] IRC: Ezbounce Format String Exploit:1 [2119] WORM: Possible Worm Detected in Attachment:1 [2120] WORM: Possible Worm Detected in Attachment:2 [2121] WORM: Possible Worm Detected in Attachment:3 [2122] WORM: Possible Worm Detected in Attachment:4 [2123] WORM: Possible Worm Detected in Attachment:5 [2124] WORM: Possible Worm Detected in Attachment:6 [2125] BACKDOOR: Acid Battery:1 [2126] BACKDOOR: Acid Battery:2 [2127] SMTP: Sendmail MIME Overflow:1 [2128] IM: MSN Messenger Information Disclosure Vulnernability:1 [2129] IM: MSN Messenger Information Disclosure Vulnernability:2 [2130] BACKDOOR: PhaseZero Trojan:1 [2131] HTTP: cachemgr.cgi Unauthorized Connection:1 [2132] HTTP: cachemgr.cgi Unauthorized Connection:2 [2133] DoS: UDP-Based Jolt2 Attack:1 [2134] IM: Microsoft MSN Messenger Malformed Invite Flow DoS:1 [2135] HTTP: ICQ Webserver Directory Traversal Attempt:1 [2136] HTTP: ICQ Webserver Directory Traversal Attempt:2 [2137] DistCC: Arbitrary Command Execution:1 [2138] DoS: Cisco Syslog DoS:1 [2139] IRC: Trinity DDoS:1 [2140] IRC: Trinity DDoS:2 [2141] IRC: Trinity DDoS:3 [2142] IRC: Trinity DDoS:4 [2143] BACKDOOR: XLog:1 [2144] HTTP: Bugbear Virus Worm:1 [2145] HTTP: Bugbear Virus Worm:2 [2146] NETBIOS-SS: User Enumeration:1 [2147] SMTP: Check Point Firewall-1 DoS:1 [2148] HTTP: Kruse Calender Remote Command Execution:1 [2149] HTTP: Kruse Calender Remote Command Execution:2 [2150] H.225: PROTO Destination Address E164 Length Anomaly:1 [2151] RPC: IRIX xfsmd Export:1 [2152] P2P: LimeWire Alive:1 [2153] P2P: LimeWire Alive:2 [2154] BACKDOOR: Masters Paradise:1 [2155] HTTP: IIS ASP Buffer Overflow:1 [2156] HTTP: IIS ASP Buffer Overflow:2 [2157] HTTP: IIS ASP Buffer Overflow:3 [2158] HTTP: IIS ASP Buffer Overflow:4 [2159] Oracle: DBMS_METADATA Package SQL Injection:1 [2160] SOCKS: SOCKS5 Username/Password Buffer Overflow:1 [2161] SOCKS: SOCKS5 Username/Password Buffer Overflow:2 [2162] SOCKS: SOCKS5 Username/Password Buffer Overflow:3 [2163] BACKDOOR: Remote Process Monitor:1 [2164] SMB: Windows Password File Access Attempt:1 [2165] SENSOR: TCP/UDP Unfinished Connection Tracking Resources Exhausted:1 [2166] SMTP: SLmail DoS:1 [2167] SMTP: SLmail DoS:2 [2168] SMTP: SLmail DoS:3 [2169] SMTP: SLmail DoS:4 [2170] RPC: SADMIND SPARC Buffer Overflow:1 [2171] RPC: SADMIND SPARC Buffer Overflow:2 [2172] RPC: SADMIND SPARC Buffer Overflow:3 [2173] BACKDOOR: SubSeven 2.1 and SubSeven 2.1 Bonus Trojans:1 [2174] BACKDOOR: SubSeven 2.1 and SubSeven 2.1 Bonus Trojans:2 [2175] MSSQL: xp_controlqueueservice Possible Buffer Overflow:1 [2176] MSSQL: xp_controlqueueservice Possible Buffer Overflow:2 [2177] HTTP: Apache Win32 Directory Listing:1 [2178] HTTP: Apache Win32 Directory Listing:2 [2179] BACKDOOR: The Flu:1 [2180] HTTP: TrackerCam PHP Argument Buffer Overflow:1 [2181] HTTP: TrackerCam PHP Argument Buffer Overflow:2 [2182] HTTP: IIS WebDAV Server DoS:1 [2183] HTTP: IIS WebDAV Server DoS:2 [2184] SHELLCODE: Shellcode Exploit Detected for Sparc Family CPUs:1 [2185] SHELLCODE: Shellcode Exploit Detected for Sparc Family CPUs:2 [2186] SHELLCODE: Shellcode Exploit Detected for Sparc Family CPUs:3 [2187] ICMP: LOKI2 Tunnel Detected:1 [2188] RPC: STATD MON NOTIFY:1 [2189] RPC: STATD MON NOTIFY:2 [2190] RPC: STATD MON NOTIFY:3 [2191] BACKDOOR: Snid:1 [2192] BACKDOOR: Snid:2 [2193] MSSQL: Xp_readpkfromqueue Possible Buffer Overflow:1 [2194] MSSQL: Xp_readpkfromqueue Possible Buffer Overflow:2 [2195] HTTP: Netauth Input Validation Error:1 [2196] HTTP: Netauth Input Validation Error:2 [2197] ORACLE: TZOFFSET Buffer Overflow:1 [2198] RLOGIN: Root Account Attempt:1 [2199] BACKDOOR: Peanut Brittle:1 [2200] HTTP: Apache PHP3 File Disclosure:1 [2201] HTTP: Apache PHP3 File Disclosure:2 [2202] SMTP: Microsoft MSHTA Script Execution:1 [2203] TCP: T/TCP Option:1 [2204] SMTP: Help Command Buffer Overflow:2 [2205] HTTP: PlanetIntra pi Buffer Overflow:1 [2206] HTTP: PlanetIntra pi Buffer Overflow:2 [2207] HTTP: PlanetIntra pi Buffer Overflow:3 [2208] H.225: PROTO Invalid Source Address Choice:1 [2209] BACKDOOR: Transmission Scout:1 [2210] MSSQL: User Login Failed:1 [2211] MSSQL: User Login Failed:2 [2212] FTP: Servu Directory Traversal:1 [2213] HTTP: CGI Bugzilla Execute Command:1 [2214] HTTP: CGI Bugzilla Execute Command:2 [2215] ORACLE: MD2 Package VALIDATE_GEOM Procedure Buffer Overflow:1 [2216] ORACLE: MD2 Package VALIDATE_GEOM Procedure Buffer Overflow:2 [2217] SNMP: Invalid Bulk Request NonRepeaters:1 [2218] DoS: Land Attack:1 [2219] TFTP: W32/Blaster Worm:1 [2220] TFTP: W32/Blaster Worm:2 [2221] TFTP: W32/Blaster Worm:3 [2222] HTTP: Microsoft IIS WebDAV XML Attribute Expansion DoS:1 [2223] BACKDOOR: Private Port:1 [2224] SMTP: Microsoft Jview Profile Vulnerability:1 [2225] SENSOR: Re-assembly Buffer Memory Exhausted:1 [2226] DCERPC: Microsoft RPCSS Heap Overflow I:1 [2227] DCERPC: Microsoft RPCSS Heap Overflow I:2 [2228] DCERPC: Microsoft RPCSS Heap Overflow I:3 [2229] DCERPC: Microsoft RPCSS Heap Overflow I:4 [2230] RPC: TTDBServerD IRIX APK Buffer Overflow:1 [2231] RPC: TTDBServerD IRIX APK Buffer Overflow:2 [2232] BACKDOOR: BigGluck Trojan:1 [2233] BACKDOOR: BigGluck Trojan:2 [2234] MSSQL: Xp_proxiedmetadata Possible Buffer Overflow:1 [2235] MSSQL: Xp_proxiedmetadata Possible Buffer Overflow:2 [2236] SNMP: Cisco IOS Trap Message Handling DoS:1 [2237] TELNET: Telnet Client env_opt_add() Buffer Overflow Vulnerability:1 [2238] TELNET: Telnet Client env_opt_add() Buffer Overflow Vulnerability:2 [2239] TELNET: Telnet Client env_opt_add() Buffer Overflow Vulnerability:3 [2240] HTTP: Abyss Web Server Malicious HTTP Request Information Disclosure Vulnerability:1 [2241] PPTP: Windows NT Denial of Service:1 [2242] LPR: Lprng Extend Command Exploit:1 [2243] LPR: Lprng Extend Command Exploit:2 [2244] FINGER: FingerD Backdoor:1 [2245] IDENT: Cfingerd Buffer Overflow:1 [2246] IDENT: Cfingerd Buffer Overflow:2 [2247] IDENT: Cfingerd Buffer Overflow:3 [2248] HTTP: IIS ASP/HTR Backslash Source Disclosure:1 [2249] HTTP: IIS ASP/HTR Backslash Source Disclosure:2 [2250] BACKDOOR: Forced Entry:1 [2251] BACKDOOR: Forced Entry:2 [2252] DoS: TCP RST BGP Denial of Service:1 [2253] BACKDOOR: Net Taxi:1 [2254] HTTP: AWStats Remote Code Execution:1 [2255] HTTP: AWStats Remote Code Execution:2 [2256] UDP: Size of Field Mismatch:1 [2257] HTTP: Apache Jakarta Tomcat URL Parsing Vulnerability:1 [2258] HTTP: Apache Jakarta Tomcat URL Parsing Vulnerability:2 [2259] RDP: Microsoft Remote Desktop Protocol Denial of Service:1 [2260] RDP: Microsoft Remote Desktop Protocol Denial of Service:2 [2261] RDP: Microsoft Remote Desktop Protocol Denial of Service:3 [2262] BACKDOOR: The Infector Trojan:1 [2263] MSSQL: sp_start_job Program Execution:1 [2264] MSSQL: sp_start_job Program Execution:2 [2265] HTTP: Microsoft Index Sever Directory Traversal:1 [2266] HTTP: Microsoft Index Sever Directory Traversal:2 [2267] HTTP: Microsoft Index Sever Directory Traversal:3 [2268] SNMP: Null Field Length Greater Than Zero:1 [2269] POP3: Qpopper Sprintf Buffer Overflow:1 [2270] POP3: Qpopper Sprintf Buffer Overflow:2 [2271] HTTP: Microsoft ASP.NET Path Validation Vulnerability :1 [2272] HTTP: Microsoft ASP.NET Path Validation Vulnerability :2 [2273] DNS: BitchX Buffer Overflow:1 [2274] DNS: BitchX Buffer Overflow:2 [2275] DNS: BitchX Buffer Overflow:3 [2276] DNS: BitchX Buffer Overflow:4 [2277] DNS: BitchX Buffer Overflow:5 [2278] SSL: Overly Long PCT Client Hello Challenge:1 [2279] BACKDOOR: Oblivion:1 [2280] BACKDOOR: Oblivion:2 [2281] BACKDOOR: Unix Command Shell Running:1 [2282] BACKDOOR: Unix Command Shell Running:2 [2283] BACKDOOR: Unix Command Shell Running:3 [2284] FTP: SITE CHMOD Buffer Overflow:1 [2285] MSSQL: Named Pipe Denial of Service:1 [2286] HTTP: jj Sample CGI Access:1 [2287] HTTP: jj Sample CGI Access:2 [2288] BACKDOOR: WanRemote:1 [2289] BACKDOOR: WanRemote:2 [2290] DNS: Ethereal Endless Decompression DoS:1 [2291] HTTP: Microsoft NTLM ASN.1 Heap Corruption:1 [2292] HTTP: Microsoft NTLM ASN.1 Heap Corruption:2 [2293] HTTP: Microsoft NTLM ASN.1 Heap Corruption:3 [2294] IP: IP Fragments Overlap:1 [2295] SMTP: Exchange Server X-LINK2STATE Buffer Overflow Attempt:1 [2296] FINGER: Solaris In.fingerd Information Disclosure Vulnerability:1 [2297] FINGER: Solaris In.fingerd Information Disclosure Vulnerability:2 [2298] FINGER: Solaris In.fingerd Information Disclosure Vulnerability:3 [2299] HTTP: Bizdb-Search Remote Command Execution:1 [2300] HTTP: Bizdb-Search Remote Command Execution:2 [2301] MSSQL: SQL Server Worm Slammer:1 [2302] MSSQL: SQL Server Worm Slammer:2 [2303] HTTP: gwweb Buffer Overflow:1 [2304] HTTP: gwweb Buffer Overflow:2 [2305] HTTP: gwweb Buffer Overflow:3 [2306] HTTP: gwweb Buffer Overflow:4 [2307] HTTP: Internet Media Tunneling through HTTP:1 [2308] HTTP: Internet Media Tunneling through HTTP:2 [2309] HTTP: Internet Media Tunneling through HTTP:3 [2310] HTTP: Internet Media Tunneling through HTTP:4 [2311] HTTP: Internet Media Tunneling through HTTP:5 [2312] HTTP: Internet Media Tunneling through HTTP:6 [2313] HTTP: Internet Media Tunneling through HTTP:7 [2314] HTTP: Internet Media Tunneling through HTTP:8 [2315] HTTP: Internet Media Tunneling through HTTP:9 [2316] BACKDOOR: Freak88:1 [2317] DHCP: Request Vulnerability in DHCP Could Allow Code Execution:1 [2318] DHCP: Request Vulnerability in DHCP Could Allow Code Execution:2 [2319] HTTP: IIS Command Execution:1 [2320] HTTP: IIS Command Execution:2 [2321] HTTP: IIS Command Execution:3 [2322] HTTP: IIS Command Execution:4 [2323] HTTP: IIS Command Execution:5 [2324] HTTP: IIS Command Execution:6 [2325] HTTP: IIS Command Execution:7 [2326] HTTP: ColdFusion Start/Stop Vulnerability:1 [2327] HTTP: ColdFusion Start/Stop Vulnerability:2 [2328] SMTP: Vintra Mail Server EXPN DoS:1 [2329] HTTP: Cobalt Raq Appliance SHP Command Execution:1 [2330] HTTP: Cobalt Raq Appliance SHP Command Execution:2 [2331] HTTP: Cobalt Raq Appliance SHP Command Execution:3 [2332] H.225: PROTO Test Suite Scan:1 [2333] RPC: Sun rpc.yppasswd Buffer Overflow:1 [2334] RPC: Sun rpc.yppasswd Buffer Overflow:2 [2335] RPC: Sun rpc.yppasswd Buffer Overflow:3 [2336] RPC: Sun rpc.yppasswd Buffer Overflow:4 [2337] LDAP: Active Directory BO:1 [2338] BACKDOOR: Sub Seven Trojan 2.2:1 [2339] BACKDOOR: Sub Seven Trojan 2.2:2 [2340] HTTP: WEBgais Websendmail Remote Command Execution:1 [2341] HTTP: WEBgais Websendmail Remote Command Execution:2 [2342] HTTP: WEBgais Websendmail Remote Command Execution:3 [2343] SOCKS: SOCKS4A Hostname Buffer Overflow:1 [2344] SOCKS: SOCKS4A Hostname Buffer Overflow:2 [2345] BACKDOOR: Ruler:1 [2346] DNS: Infoleak TSIG Buffer Overflow:1 [2347] DNS: Infoleak TSIG Buffer Overflow:2 [2348] DNS: Infoleak TSIG Buffer Overflow:3 [2349] DNS: Infoleak TSIG Buffer Overflow:4 [2350] HTTP: XMLRPC Remote Code Execution:1 [2351] HTTP: XMLRPC Remote Code Execution:2 [2352] HTTP: Parameter Value Too Long with Shellcode Detected:2 [2353] HTTP: Parameter Value Too Long with Shellcode Detected:3 [2354] BACKDOOR: Kid Terro:1 [2355] MSSQL: xp_decodequeuecmd Possible Buffer Overflow:1 [2356] MSSQL: xp_decodequeuecmd Possible Buffer Overflow:2 [2357] HTTP: Microsoft IIS ..SLASH..DenialofService:1 [2358] HTTP: Microsoft IIS ..SLASH..DenialofService:2 [2359] WORM: W32/Mydoom.bb@MM Worm:1 [2360] WORM: W32/Mydoom.bb@MM Worm:2 [2361] WORM: W32/Mydoom.bb@MM Worm:3 [2362] WORM: W32/Mydoom.bb@MM Worm:4 [2363] WORM: W32/Mydoom.bb@MM Worm:5 [2364] WORM: W32/Mydoom.bb@MM Worm:6 [2365] TELNET: User Privilege Upgrade Attempt:1 [2366] TELNET: User Privilege Upgrade Attempt:2 [2367] TELNET: User Privilege Upgrade Attempt:3 [2368] BACKDOOR: Spirit:1 [2369] DoS: NewTear Attack:1 [2370] HTTP: Apache 2.0 Path Disclosure:1 [2371] NETBIOS-NS: Windows Name Conflict:1 [2372] HTTP: WebLogic Java/JSP Insertion:1 [2373] HTTP: WebLogic Java/JSP Insertion:2 [2374] RPC: AMD/AMQ Buffer Overflow:1 [2375] RPC: AMD/AMQ Buffer Overflow:2 [2376] RPC: AMD/AMQ Buffer Overflow:3 [2377] RPC: AMD/AMQ Buffer Overflow:4 [2378] RPC: AMD/AMQ Buffer Overflow:5 [2379] RPC: AMD/AMQ Buffer Overflow:6 [2380] RPC: AMD/AMQ Buffer Overflow:7 [2381] MSSQL: Xp_resetqueue Possible Buffer Overflow:1 [2382] MSSQL: Xp_resetqueue Possible Buffer Overflow:2 [2383] HTTP: MailStudio Design Error:1 [2384] HTTP: MailStudio Design Error:2 [2385] CA: BrightStor ARCserve Backup Discovery Service Remote Buffer Overflow:1 [2386] CA: BrightStor ARCserve Backup Discovery Service Remote Buffer Overflow:2 [2387] RLOGIN: User Password Too Long:1 [2388] RLOGIN: User Password Too Long:2 [2389] DNS: Microsoft SMTP Service DNS resolver overflow:1 [2390] DHCP: Root Exploit in DHCP Client:1 [2391] DHCP: Root Exploit in DHCP Client:2 [2392] BACKDOOR: Pest/Hydroleak/Latinus:1 [2393] BACKDOOR: Pest/Hydroleak/Latinus:2 [2394] HTTP: SuSE Apache CGI Source Code Viewing:1 [2395] HTTP: SuSE Apache CGI Source Code Viewing:2 [2396] SMTP: Majordomo Ifs:1 [2397] HTTP: SquirrelMail load_prefs.php Code Execution:1 [2398] HTTP: SquirrelMail load_prefs.php Code Execution:2 [2399] BACKDOOR: Dark Connection Inside:1 [2400] H.225: PROTO Invalid Destination Address Choice:1 [2401] BACKDOOR: Unexplained:1 [2402] BACKDOOR: Unexplained:2 [2403] BACKDOOR: Unexplained:3 [2404] FTP: Access Windows Password File Attempt:1 [2405] MSSQL: xp_printstatements Possible Buffer Overflow:1 [2406] MSSQL: xp_printstatements Possible Buffer Overflow:2 [2407] ORACLE: Buffer Overflows in EXTPROC:1 [2408] HTTP: Phf Execute Arbitrary Command:1 [2409] HTTP: Phf Execute Arbitrary Command:2 [2410] BACKDOOR: QwerTOS:1 [2411] BACKDOOR: QwerTOS:2 [2412] HTTP: Sun AnswerBook2 Administrative Script Access Vulnerability:1 [2413] HTTP: Sun AnswerBook2 Administrative Script Access Vulnerability:2 [2414] SMTP: Microsoft COM Object Instantiation Memory Corruption:1 [2415] SMTP: Microsoft COM Object Instantiation Memory Corruption:2 [2416] HTTP: ColdFusion Sample Application Usage:1 [2417] HTTP: ColdFusion Sample Application Usage:2 [2418] BACKDOOR: COMA:1 [2419] BACKDOOR: COMA:2 [2420] RPC: TTDBServerD IRIX LSD Buffer Overflow:1 [2421] RPC: TTDBServerD IRIX LSD Buffer Overflow:2 [2422] ORACLE: 9iAS XSQL Servlet File Permission Bypass:1 [2423] TELNET: Cisco 675 Root Privilege Gained:1 [2424] SMB: Microsoft SMB Client NT_Transaction Setupcount Overflow:1 [2425] LPR: Solaris lpd Buffer Overflow:1 [2426] LPR: Solaris lpd Buffer Overflow:2 [2427] HTTP: LISTSERV wa.exe Buffer Overflow:1 [2428] HTTP: LISTSERV wa.exe Buffer Overflow:2 [2429] HTTP: LISTSERV wa.exe Buffer Overflow:3 [2430] BACKDOOR: GayOL:1 [2431] HTTP: Imagemap Buffer Overflow:1 [2432] HTTP: Imagemap Buffer Overflow:2 [2433] HTTP: Imagemap Buffer Overflow:3 [2434] HTTP: Imagemap Buffer Overflow:4 [2435] ORACLE: Application Server Default Page SQL:1 [2436] ORACLE: Application Server Default Page SQL:2 [2437] HTTP: PHP Strings Exploit Buffer Overflow:1 [2438] HTTP: PHP Strings Exploit Buffer Overflow:2 [2439] HTTP: PHP Strings Exploit Buffer Overflow:3 [2440] HTTP: PHP Strings Exploit Buffer Overflow:4 [2441] P2P: KaZaA Client Connecting to Server:1 [2442] P2P: KaZaA Client Connecting to Server:2 [2443] P2P: KaZaA Client Connecting to Server:3 [2444] P2P: KaZaA Client Connecting to Server:4 [2445] P2P: KaZaA Client Connecting to Server:5 [2446] P2P: KaZaA Client Connecting to Server:6 [2447] SNMP: Inconsistent Data Length Specified:1 [2448] SNMP: Inconsistent Data Length Specified:2 [2449] SNMP: Inconsistent Data Length Specified:3 [2450] SNMP: Inconsistent Data Length Specified:4 [2451] SNMP: Inconsistent Data Length Specified:5 [2452] SNMP: Inconsistent Data Length Specified:6 [2453] SNMP: Inconsistent Data Length Specified:7 [2454] SNMP: Inconsistent Data Length Specified:8 [2455] DDoS: mstream Master-to-Handler Communication:1 [2456] HTTP: Microsoft Visual Studio .NET Crystal Reports Vulnerability:1 [2457] HTTP: Microsoft Visual Studio .NET Crystal Reports Vulnerability:2 [2458] BACKDOOR: New Silencer:1 [2459] TCP: TCP Window Withdrawl:1 [2460] P2P: BitTorrent Meta-Info Retrieving:1 [2461] P2P: BitTorrent Meta-Info Retrieving:2 [2462] BACKDOOR: Matrix Backdoor:1 [2463] MSSQL: xp_enumresultset Possible Buffer Overflow:1 [2464] MSSQL: xp_enumresultset Possible Buffer Overflow:2 [2465] SNMP: Length of Length Too Long:1 [2466] SNMP: Length of Length Too Long:2 [2467] SNMP: Length of Length Too Long:3 [2468] SNMP: Length of Length Too Long:4 [2469] SNMP: Length of Length Too Long:5 [2470] SNMP: Length of Length Too Long:6 [2471] SNMP: Length of Length Too Long:7 [2472] SNMP: Length of Length Too Long:8 [2473] TELNET: Root Account Remote Attempt:1 [2474] HTTP: Zeus Search Engine CGI File Disclosure:1 [2475] HTTP: Zeus Search Engine CGI File Disclosure:2 [2476] SMTP: Sendmail mail.local Exploit:1 [2477] DCERPC: Microsoft RPC Denial of Service:1 [2478] DCERPC: Microsoft RPC Denial of Service:2 [2479] IM: Yahoo Messenger Alive:1 [2480] IM: Yahoo Messenger Alive:2 [2481] IM: Yahoo Messenger Alive:3 [2482] IM: Yahoo Messenger Alive:5 [2483] IM: Yahoo Messenger Alive:6 [2484] HTTP: Guestbook Execute Command Attempt:1 [2485] HTTP: Guestbook Execute Command Attempt:2 [2486] ORACLE: Application Server Ndwfn4.so Buffer Overflow:1 [2487] ORACLE: Application Server Ndwfn4.so Buffer Overflow:3 [2488] ORACLE: Application Server Ndwfn4.so Buffer Overflow:2 [2489] SNMP: Common Format String Attack:1 [2490] SNMP: Common Format String Attack:2 [2491] SNMP: Common Format String Attack:3 [2492] SNMP: Common Format String Attack:4 [2493] SNMP: Common Format String Attack:5 [2494] SNMP: Common Format String Attack:6 [2495] SNMP: Common Format String Attack:7 [2496] SNMP: Common Format String Attack:8 [2497] SNMP: Common Format String Attack:9 [2498] SNMP: Common Format String Attack:10 [2499] SNMP: Common Format String Attack:11 [2500] SNMP: Common Format String Attack:12 [2501] SNMP: Common Format String Attack:13 [2502] SNMP: Common Format String Attack:14 [2503] SNMP: Common Format String Attack:15 [2504] NETBIOS-SS: SMB DoS Exploit:1 [2505] FINGER: Server Pipe Remote Command Execution:1 [2506] HTTP: PageServices Directory Disclosure:1 [2507] HTTP: PageServices Directory Disclosure:2 [2508] HTTP: ColdFusion sourcewindow File Disclosure:1 [2509] HTTP: ColdFusion sourcewindow File Disclosure:2 [2510] HTTP: ColdFusion sourcewindow File Disclosure:3 [2511] HTTP: Microsoft SQLXML ISAPI Buffer Overflow:1 [2512] HTTP: Microsoft SQLXML ISAPI Buffer Overflow:2 [2513] SSL: Certificate Microsoft ASN.1 BitStr Encoding Error:1 [2514] BACKDOOR: InCommand:1 [2515] BACKDOOR: InCommand:2 [2516] BACKDOOR: InCommand:3 [2517] BACKDOOR: InCommand:4 [2518] BACKDOOR: BioNet Trojan:2 [2519] BACKDOOR: BioNet Trojan:3 [2520] FTP: Buffer Overflow Attempt Detected:1 [2521] FTP: Buffer Overflow Attempt Detected:2 [2522] FTP: Buffer Overflow Attempt Detected:3 [2523] FTP: Buffer Overflow Attempt Detected:4 [2524] FTP: Buffer Overflow Attempt Detected:5 [2525] FTP: Buffer Overflow Attempt Detected:6 [2526] HTTP: SGI wrap Input Validation:1 [2527] HTTP: SGI wrap Input Validation:2 [2528] POP3: Buffer Overflow Attempt With AUTH Parameters:1 [2529] WORM: W32/Mydoom.ah@MM Worm:1 [2530] WORM: W32/Mydoom.ah@MM Worm:2 [2531] WORM: W32/Mydoom.ah@MM Worm:3 [2532] WORM: W32/Mydoom.ah@MM Worm:4 [2533] WORM: W32/Mydoom.ah@MM Worm:5 [2534] WORM: W32/Mydoom.ah@MM Worm:6 [2535] WORM: W32/Mydoom.ah@MM Worm:7 [2536] WORM: W32/Mydoom.ah@MM Worm:8 [2537] WORM: W32/Mydoom.ah@MM Worm:9 [2538] SMTP: RPMMail Remote Root Exploit:1 [2539] BACKDOOR: Lithium:1 [2540] HTTP: CGImail.exe Access File:1 [2541] HTTP: CGImail.exe Access File:2 [2542] WORM: W32/Mydoom.be@MM Worm:1 [2543] WORM: W32/Mydoom.be@MM Worm:2 [2544] WORM: W32/Mydoom.be@MM Worm:3 [2545] TELNET: Subnegotiation Parameter Too Long:1 [2546] TELNET: Subnegotiation Parameter Too Long:2 [2547] TELNET: Subnegotiation Parameter Too Long:3 [2548] BACKDOOR: UltimateRAT:1 [2549] DoS: TearDrop Attack:1 [2550] NetBIOS-SS: Windows 95/98 NULL Source Name:1 [2551] BOT: Floodnet IRC Activity:2 [2552] BACKDOOR: Cero 1.0:1 [2553] MSSQL: Xp_dirtree Possible Buffer Overflow:1 [2554] MSSQL: Xp_dirtree Possible Buffer Overflow:2 [2555] FTP: PASV Passwd Disclosure:1 [2556] HTTP: Faxsurvey Execute Command:1 [2557] HTTP: Faxsurvey Execute Command:2 [2558] HTTP: Faxsurvey Execute Command:3 [2559] EpicGames: Unreal Engine Secure Query Overflow :1 [2560] WORM: W32/Netsky.Q@MM Worm:1 [2561] WORM: W32/Netsky.Q@MM Worm:2 [2562] WORM: W32/Netsky.Q@MM Worm:3 [2563] WORM: W32/Netsky.Q@MM Worm:4 [2564] WORM: W32/Netsky.Q@MM Worm:5 [2565] WORM: W32/Netsky.Q@MM Worm:6 [2566] HTTP: WebDAV Method URL Overly Long:1 [2567] HTTP: WebDAV Method URL Overly Long:2 [2568] HTTP: WebDAV Method URL Overly Long:3 [2569] HTTP: Apache Tomcat Servlet Path Disclosure:1 [2570] HTTP: Apache Tomcat Servlet Path Disclosure:2 [2571] SMTP: AMaVis Arbitrary Command Execution:2 [2572] SMTP: Sendmail Exploit:1 [2573] SMTP: Sendmail Exploit:2 [2574] BACKDOOR: Exploiter:1 [2575] H.225: PROTO Source Address Sequence Anomaly:1 [2576] FTP: Glob Implementation Exploit:1 [2577] ORACLE: BFILENAME Buffer Overflow:1 [2578] HTTP: test-cgi Directory Listing:1 [2579] HTTP: test-cgi Directory Listing:2 [2580] POP3: Unusually Long Username with shellcode:10 [2581] WORM: W32/Bagle.ag@MM Worm:1 [2582] WORM: W32/Bagle.ag@MM Worm:2 [2583] WORM: W32/Bagle.ag@MM Worm:3 [2584] WORM: W32/Bagle.ag@MM Worm:4 [2585] WORM: W32/Bagle.ag@MM Worm:5 [2586] WORM: W32/Bagle.ag@MM Worm:6 [2587] IMAP: Buffer Overflow With Overly Long SUBSCRIBE Command Parameters:1 [2588] SSL: Connection Recycled:1 [2589] HTTP: Novell Netware Web Server 3.x files.pl Exploit:1 [2590] HTTP: Novell Netware Web Server 3.x files.pl Exploit:2 [2591] BACKDOOR: Amanda:1 [2592] BACKDOOR: Amanda:2 [2593] MSSQL: xp_dsninfo Possible Buffer Overflow:1 [2594] MSSQL: xp_dsninfo Possible Buffer Overflow:2 [2595] ORACLE: TNS Denial Of Service Vulnerability:1 [2596] ORACLE: TNS Denial Of Service Vulnerability:2 [2597] HTTP: IIS dvwssr.dll View File:1 [2598] HTTP: IIS dvwssr.dll View File:2 [2599] HTTP: HAHTSite Server Buffer Overflow:1 [2600] HTTP: HAHTSite Server Buffer Overflow:2 [2601] HTTP: ActivePerl perlIIS.dll Buffer Overflow:1 [2602] HTTP: ActivePerl perlIIS.dll Buffer Overflow:2 [2603] HTTP: ActivePerl perlIIS.dll Buffer Overflow:3 [2604] HTTP: Buffer Overflow in NGSSoftware Webadmin:1 [2605] HTTP: Buffer Overflow in NGSSoftware Webadmin:2 [2606] HTTP: Buffer Overflow in NGSSoftware Webadmin:3 [2607] HTTP: PostQuery CGI Overflow:1 [2608] HTTP: PostQuery CGI Overflow:2 [2609] BACKDOOR: Bigorna:1 [2610] BACKDOOR: Bigorna:2 [2611] HTTP: IIS htr Obtain Code:1 [2612] HTTP: IIS htr Obtain Code:2 [2613] HTTP: WebDAV Search Buffer Overflow:1 [2614] HTTP: WebDAV Search Buffer Overflow:2 [2615] HTTP: WebDAV Search Buffer Overflow:3 [2616] POP3: Fusemail Exploit:1 [2617] TELNET: Cisco IOS Software Telnet Option Handling DoS:1 [2618] WORM: W32/Netsky.p@MM Worm:1 [2619] WORM: W32/Netsky.p@MM Worm:2 [2620] WORM: W32/Netsky.p@MM Worm:3 [2621] WORM: W32/Netsky.p@MM Worm:4 [2622] WORM: W32/Netsky.p@MM Worm:5 [2623] WORM: W32/Netsky.p@MM Worm:6 [2624] BACKDOOR: NOSecure:1 [2625] HTTP: ARSC Chat Path Disclosure:1 [2626] HTTP: ARSC Chat Path Disclosure:2 [2627] TCP: Urgent Data Pointer Points Beyond The Length of the Packet:1 [2628] P2P: SoulSeek Alive:1 [2629] P2P: SoulSeek Alive:2 [2630] RPC: Stated Notify Generic Length Buffer Overflow:1 [2631] SCAN: SMTP CyberCop EHLO Probe:1 [2632] NTALK: talkd Name Parsing Exploit:1 [2633] MSSQL: sp_adduser Database User Creation:1 [2634] MSSQL: sp_adduser Database User Creation:2 [2635] DoS: Cisco Catalyst Supervisor Remote Reload:1 [2636] TELNET: Password Too Long:1 [2637] SSH: CRC 32 Compensation Attack:1 [2638] SSH: CRC 32 Compensation Attack:2 [2639] NETBIOS-SS: Microsoft NTLM ASN.1 Heap Corruption:1 [2640] NETBIOS-SS: Microsoft NTLM ASN.1 Heap Corruption:2 [2641] HTTP: Microsoft FrontPage htimage.exe Path Disclosure:1 [2642] HTTP: Microsoft FrontPage htimage.exe Path Disclosure:2 [2643] SMTP: Shellcode by Invalid Command:1 [2644] HTTP: CA Unicenter File Upload:1 [2645] HTTP: CA Unicenter File Upload:2 [2646] SSL: Server-Initiated Key Renegotiation Detected:1 [2647] BACKDOOR: Maverick's Matrix Backdoor:1 [2648] P2P: Gnutella Connected to Server:3 [2649] ORACLE: 9iAS OracleJSP Information Disclosure Vulnerability:1 [2650] HTTP: Phorum auth.php3 Access File:1 [2651] HTTP: Phorum auth.php3 Access File:2 [2652] ORACLE: Brute Force Login:1 [2653] HTTP: Cart32 Admin Password Vulnerability:1 [2654] HTTP: Cart32 Admin Password Vulnerability:2 Regular expressions: [0] ip-fragment-too-large [1] udp-length-mismatch [2] tcp-hdr-too-small [3] tcp-hdr-beyond-pkt [4] tcp-window-withdrawl [5] tcp-urgent-ptr-zero [6] tcp-urgent-ptr-beyond-pkt [7] tcp-urgent-set-ack-zero [8] tcp-window-scale-options [9] tcp-t-tcp-option [10] tcp-timestamps-option [11] tcp-md5 [12] icmp-source-quench-set [13] sibyte-pkt-buffers-low [14] sibyte-reassembly-buffers-exhausted [15] sibyte-tcp-udp-control-blocks-exhausted [16] sibyte-attack-markers-exhausted [17] ip-too-many-small-fragments [18] sibyte-tcp-udp-unfinished-conn-blocks-exhausted [19] binary-char-count-threshold-exceeded [20] shellcode-detected-for-arch-i386 [21] shellcode-detected-for-arch-sparc [22] shellcode-detected-for-arch-powerpc [23] sibyte-prevdata-nodes-exhausted [24] sibyte-prevdata-bufs-exhausted [25] sibyte-shellcode-detect-state-nodes-exhausted [26] invalid-quote-encoding [27] tcp-xmas-nmap-probe [28] tcp-xmas-syn-probe [29] tcp-bare-push-probe [30] land-attack-pkt [31] winnuke-attack-pkt [32] raptor-dos-pkt [33] tcp-fin-no-ack-probe [34] tcp-syn-fin-probe [35] tcp-cybercop-os-probe1 [36] tcp-ms-syn-fin-probe [37] stackeldraht-agent-spoof-test [38] tcp-null-probe [39] ip-new-tear-attack [40] ip-syn-drop-attack [41] ip-bonk-attack [42] ip-tear-drop-attack [43] ping-of-death-attack [44] jolt2-icmp-attack [45] jolt2-udp-attack [46] ip-fragment-overlap [47] udp-land-attack-pkt [48] tcp-segment-overlap-data-mismatch [49] cisco-syslog-dos [50] nortel-empty-snmp-dos [51] shellcode-detected-for-arch-mips [52] shellcode-detected-for-arch-hppa [53] jolt-icmp-attack [54] cisco-ios-protocol-dos [55] icmp-nachi-sysevent [56] arp-addr-flip-flop-sysevent [57] arp-mac-cloned-sysevent [58] arp-spoofed-sysevent [59] arp-spoofed-with-dup-mac-captured [60] arp-bcast-sender-addr-sysevent [61] arp-bcast-destn-mac-sysevent [62] fragmented-igmp-packet [63] igmp-fawx-attack [64] igmp-koc-attack [65] ssl-bad-state-transition [66] ssl-pkt-with-no-connection [67] tcp-invalid-rst-bgp [68] ssl-connection-recycled [69] ssl-connections-exhausted [70] ssl-session-recycled [71] ssl-sessions-exhausted [72] ssl-session-refs-exhausted [73] ssl-unsupported-cipher [74] ssl-unknown-cipher [75] ssl-unsupported-export-cipher [76] ssl-unsupported-diffie-hellman [77] slammer-data-seen [78] inconclusive-protocol-identification [79] string-match:finger-client-data-text:\x0A (fcase =no) [80] unsigned-gt:rtsp-req-transport-header-len:0xffffffff:1024:no [81] string-match:ftp-cwd-cmd-param: ~{(fcase =no) [82] string-match:ftp-stor-cmd-param: ~{(fcase =no) [83] string-match:ftp-dele-cmd-param: ~{(fcase =no) [84] string-match:ftp-stat-cmd-param: ~{(fcase =no) [85] string-match:ftp-list-cmd-param: ~{(fcase =no) [86] string-match:ftp-site-cmd-param: ~{(fcase =no) [87] unsigned-gt:ftp-cwd-cmd-param-length:0xffffffff:128:no [88] unsigned-gt:ftp-mkd-cmd-param-length:0xffffffff:128:no [89] string-match:http-req-header:\x0a\xf7\x02\x97(fcase =no) [90] string-match:http-req-header:\x0b\x18\x02\x98(fcase =no) [91] string-match:http-req-header:\x0b\x39\x02\x99(fcase =no) [92] string-match:http-req-header:\x0b\x5a\x02\x9a(fcase =no) [93] string-match:http-req-header:\x20\x20\x08\x01(fcase =no) [94] string-match:http-req-header:\xe4\x20\xe0\x08(fcase =no) [95] string-match:http-req-header:\x24\x02\x04\x53(fcase =no) [96] string-match:http-req-header:\x24\x02\x03\xf3(fcase =no) [97] string-match:http-req-header:\x24\x02\x04\x25(fcase =no) [98] string-match:http-req-header:\x24\x02\x03\xee(fcase =no) [99] string-match:http-req-header:\x24\x02\x03\xeb(fcase =no) [100] string-match:http-req-header:\x03\xff\xff\xcc(fcase =no) [101] string-match:http-req-header:\x02..\x0c(fcase =no) [102] string-match:http-req-header:\x01\x01\x01\x0c(fcase =no) [103] string-match:http-req-header:\x13\x74\xf0\x47(fcase =no) [104] string-match:http-req-header:\x12\x74\xf0\x47(fcase =no) [105] string-match:http-req-header:\x11\x74\xf0\x47(fcase =no) [106] string-match:http-req-header:/bin/sh(fcase =no) [107] string-match:http-req-header:\xff\xff\xff\xed\xff\x1f\xd2/bin(fcase =no) [108] string-match:http-req-header:\xff\x7e\xb2\x13\x94\xe7\x43\x20\x35\x60\x42(fcase =no) [109] string-match:http-req-header:h....X5....H..PP..PPa(fcase =no) [110] string-match:http-req-header:PQX-....-....-....PQX(fcase =no) [111] string-match:http-req-header:PQX-....-....PQX(fcase =no) [112] string-match:http-req-header:\x80\x30.\x40\xe2\xfa(fcase =no) [113] string-match:http-req-header:\xac\x34.\xaa\xe2\xfa(fcase =no) [114] string-match:http-req-header:\x2C\x61\x90\x50\x59\x66\xAD\x90(fcase =no) [115] string-match:http-req-header:\xac\x2c.\xaa\xe2\xf5(fcase =no) [116] string-match:http-req-header:\x9a\xff\xff\xff\xff\x07\xff(fcase =no) [117] string-match:http-req-header:\xaa\x10\x10\x10\x10\x17\x10(fcase =no) [118] string-match:http-req-header:\x9a\x01\x02\x03\x5c\x07\x04(fcase =no) [119] string-match:http-req-header:\x9a\x04\x04\x04\x04\x07\x04(fcase =no) [120] string-match:http-req-header:\x9a\x24\x24\x24\x24\x07\x24(fcase =no) [121] string-match:http-webdav-propfind-req-message-body:xmlns:a(fcase =no) [122] string-match:http-webdav-propfind-req-message-body:"DAV:">(fcase =no) [123] unsigned-gt:http-rsp-code:0xffffffff:399:no [124] numerical-eq:http-rsp-server-type:0xffffffff:1:yes [125] string-match:telnet-client-data-text:\xFF\xF6\xFF\xFB\x08\xFF\xFB\x26(fcase =no) [126] string-match:telnet-server-data-text:Yes]\x0D\x0A\xFF\xFE\x08(fcase =no) [127] string-match:telnet-client-data-text:\xFF\xF5\xFF(fcase =no) [128] string-match:telnet-client-data-text:\xFF\xF6\xFF\xFB\x08\xFF\xF6(fcase =no) [129] numerical-eq:telnet-iac-cmd-counter:0xffffffff:5000:no [130] string-match:telnet-client-environ-sb-param:\xCD\x80(fcase =no) [131] string-match:telnet-client-environ-sb-param:\xBF\xEE\xEE\xEE\xEE\x08\xB8(fcase =no) [132] string-match:http-req-uri-path:loadpage\.cgi$(fcase =yes) [133] string-match:http-req-uri-path:search\.cgi$(fcase =yes) [134] string-match:http-req-uri-query-params:file=|(fcase =yes) [135] string-match:http-req-uri-query-params:/(etc|bin|usr|sbin)/(fcase =yes) [136] string-match:http-req-header:/ HTTP/1\.1\r\nHost: www\.(sco|microsoft)\.com\r\n\r\n(fcase =yes) [137] string-match:pktsearch-req-text:^verpc,(fcase =no) [138] string-match:pktsearch-rsp-text:^verpc,(fcase =no) [139] string-match:pktsearch-req-text:^BN.\x00\x02\x00(fcase =no) [140] string-match:pktsearch-rsp-text:^BN.\x00\x02\x00(fcase =no) [141] string-match:pktsearch-rsp-text:^NetBus\x20\x31\...\x20\x0d(fcase =no) [142] string-match:pktsearch-rsp-text:^Leszcz 5\.50 \x0d(fcase =no) [143] string-match:smtp-EXE-message-body:ZEQgfXN1O1OkmLPEg2Rme6Ti(fcase =no) [144] string-match:smtp-EXE-message-body:SNwr4lar6db51XROhdbC/cHg(fcase =no) [145] string-match:smtp-SCR-message-body:ZEQgfXN1O1OkmLPEg2Rme6Ti(fcase =no) [146] string-match:smtp-SCR-message-body:SNwr4lar6db51XROhdbC/cHg(fcase =no) [147] string-match:smtp-COM-message-body:ZEQgfXN1O1OkmLPEg2Rme6Ti(fcase =no) [148] string-match:smtp-COM-message-body:SNwr4lar6db51XROhdbC/cHg(fcase =no) [149] string-match:smtp-CPL-message-body:ZEQgfXN1O1OkmLPEg2Rme6Ti(fcase =no) [150] string-match:smtp-CPL-message-body:SNwr4lar6db51XROhdbC/cHg(fcase =no) [151] string-match:imap-EXE-message-body:ZEQgfXN1O1OkmLPEg2Rme6Ti(fcase =no) [152] string-match:imap-EXE-message-body:SNwr4lar6db51XROhdbC/cHg(fcase =no) [153] string-match:imap-SCR-message-body:ZEQgfXN1O1OkmLPEg2Rme6Ti(fcase =no) [154] string-match:imap-SCR-message-body:SNwr4lar6db51XROhdbC/cHg(fcase =no) [155] string-match:imap-COM-message-body:ZEQgfXN1O1OkmLPEg2Rme6Ti(fcase =no) [156] string-match:imap-COM-message-body:SNwr4lar6db51XROhdbC/cHg(fcase =no) [157] string-match:imap-CPL-message-body:ZEQgfXN1O1OkmLPEg2Rme6Ti(fcase =no) [158] string-match:imap-CPL-message-body:SNwr4lar6db51XROhdbC/cHg(fcase =no) [159] string-match:pop3-EXE-message-body:ZEQgfXN1O1OkmLPEg2Rme6Ti(fcase =no) [160] string-match:pop3-EXE-message-body:SNwr4lar6db51XROhdbC/cHg(fcase =no) [161] string-match:pop3-SCR-message-body:ZEQgfXN1O1OkmLPEg2Rme6Ti(fcase =no) [162] string-match:pop3-SCR-message-body:SNwr4lar6db51XROhdbC/cHg(fcase =no) [163] string-match:pop3-COM-message-body:ZEQgfXN1O1OkmLPEg2Rme6Ti(fcase =no) [164] string-match:pop3-COM-message-body:SNwr4lar6db51XROhdbC/cHg(fcase =no) [165] string-match:pop3-CPL-message-body:ZEQgfXN1O1OkmLPEg2Rme6Ti(fcase =no) [166] string-match:pop3-CPL-message-body:SNwr4lar6db51XROhdbC/cHg(fcase =no) [167] string-match:http-req-uri-path:site\.csc(fcase =yes) [168] numerical-eq:http-rsp-server-type:0xffffffff:2:yes [169] string-match:ftp-cwd-cmd-param:^\.\.\.(fcase =no) [170] string-match:ftp-cwd-cmd-param:/\.\.\./(fcase =no) [171] string-match:http-req-uri-path:(\\|/)scripts(fcase =yes) [172] string-match:http-req-uri-path:(\\|/)newdsn.exe$(fcase =yes) [173] string-match:http-req-uri-query-param-name:driver(fcase =yes) [174] string-match:http-req-uri-query-param-value:Microsoft+Access+Driver+\(*\.mdb\)(fcase =yes) [175] string-match:http-req-uri-query-param-name:dbq(fcase =yes) [176] string-match:http-req-uri-query-param-name:newdb(fcase =yes) [177] string-match:http-req-uri-query-param-value:CREATE_DB(fcase =yes) [178] string-match:http-post-req-uri-path:(\\|/)scripts(fcase =yes) [179] string-match:http-post-req-uri-path:(\\|/)newdsn.exe$(fcase =yes) [180] string-match:http-post-req-message-body:driver(fcase =yes) [181] string-match:http-post-req-message-body:Microsoft+Access+Driver+\(*\.mdb\)(fcase =yes) [182] string-match:http-post-req-message-body:dbq(fcase =yes) [183] string-match:http-post-req-message-body:newdb(fcase =yes) [184] string-match:http-post-req-message-body:CREATE_DB(fcase =yes) [185] unsigned-gt:rexec-login-fail-counter:0xffffffff:0:no [186] string-match:snmp-set-varbind-object-id-field:^\x2b\x06\x01\x04\x01\x82\x37\x01\x02\x05\x03(fcase =no) [187] string-match:tftp-rrq-filename:prn(fcase =yes) [188] string-match:tftp-rrq-filename:(lpt|com)[1-9](fcase =yes) [189] unsigned-gt:imap-examine-cmd-param-length:0xffffffff:260:no [190] string-match:netbios-ss-smb-CREATE-filename:\x00\\\x00i\x00r\x00a\x00q\x00_\x00o\x00i\x00l\x00\.\x00e\x00x\x00e(fcase =yes) [191] string-match:http-req-uri-path:/ConsoleHelp/(fcase =yes) [192] string-match:netbios-ss-smb-check_directory-buffer:\.\.(/|\.)(fcase =no) [193] string-match:pktsearch-req-text:^/MSG,Rootbeer Rules!(fcase =no) [194] string-match:pktsearch-req-text:^/QUE,(fcase =no) [195] string-match:pktsearch-req-text:^/FIL,(fcase =no) [196] string-match:pktsearch-req-text:^/NFO,(fcase =no) [197] numerical-eq:pktsearch-dst-port:0xffffffff:2600:no [198] numerical-eq:kerberos-error-code:0xffffffff:constructed-primitive-type:no [199] string-match:ftp-pass-cmd-param:\x31\xc0\x31\xdb\x31\xc9\xb0(fcase =no) [200] string-match:ftp-site-cmd-param:%x%x%x(fcase =no) [201] string-match:ftp-site-cmd-param:(%hn|%n)$(fcase =no) [202] string-match:http-req-uri-path:(\\|/)info2www$(fcase =no) [203] string-match:http-req-uri-query-params:\.\.(/|\\)(fcase =no) [204] numerical-eq:http-rsp-server-type:0xffffffff:2:no [205] numerical-eq:icmp-echo-reply-id:0xffffffff:123:no [206] string-match:icmp-echo-reply-payload:shell bound (fcase =no) [207] string-match:smtp-PIF-message-body:ptJ1NSsCzj0o7wh3ZvpxJ7GX(fcase =no) [208] string-match:smtp-PIF-message-body:uDOHMvb/dxkUvjLLK5tb2iAQ(fcase =no) [209] string-match:pop3-PIF-message-body:ptJ1NSsCzj0o7wh3ZvpxJ7GX(fcase =no) [210] string-match:pop3-PIF-message-body:uDOHMvb/dxkUvjLLK5tb2iAQ(fcase =no) [211] string-match:imap-PIF-message-body:ptJ1NSsCzj0o7wh3ZvpxJ7GX(fcase =no) [212] string-match:imap-PIF-message-body:uDOHMvb/dxkUvjLLK5tb2iAQ(fcase =no) [213] unsigned-gt:dhcp-req-cf-hostname-option-len:0xffffffff:254:no [214] string-match:dhcp-req-sf-hostname-option:%(n|hn)%(fcase =no) [215] string-match:dhcp-req-sf-hostname-option:\x90\x90\x90\x90(fcase =no) [216] unsigned-gt:imap-examine-cmd-param-length:0xffffffff:250:no [217] unsigned-gt:ftp-pass-cmd-param-length:0xffffffff:128:no [218] string-match:pktsearch-req-text:\x0a\xf7\x02\x97(fcase =no) [219] string-match:pktsearch-req-text:\x0b\x18\x02\x98(fcase =no) [220] string-match:pktsearch-req-text:\x0b\x39\x02\x99(fcase =no) [221] string-match:pktsearch-req-text:\x0b\x5a\x02\x9a(fcase =no) [222] string-match:pktsearch-req-text:\x20\x20\x08\x01\xe4\x20\xe0\x08(fcase =no) [223] string-match:pktsearch-req-text:\x20\x20\x08\x01(fcase =no) [224] string-match:pktsearch-req-text:\xe4\x20\xe0\x08(fcase =no) [225] string-match:pktsearch-req-text:.bin.sh(fcase =no) [226] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:50766:no [227] string-match:pktsearch-req-text:^access(fcase =no) [228] string-match:pktsearch-rsp-text:^access ok (fcase =no) [229] unsigned-gt:mms-req-length:0xffffffff:0x80000000:no [230] string-match:http-req-uri-path:(\\|/)view-source$(fcase =no) [231] string-match:http-req-uri-query-params:^\.\.(/|\\)(fcase =no) [232] string-match:rsh-username-client-login:^root[\r\n](fcase =no) [233] string-match:rsh-client-handshake-serveruser-text:^root$(fcase =no) [234] unsigned-gt:pop3-retr-cmd-param-length:0xffffffff:200:no [235] string-match:smtp-name-message-header:price(fcase =yes) [236] string-match:smtp-ZIP-message-body:YLPIa0vCR0SLSKFpBwllpOa6(fcase =no) [237] string-match:smtp-ZIP-message-body:OtrDt3FikercXwphogjIKWSF(fcase =no) [238] string-match:pop3-name-message-header:price(fcase =yes) [239] string-match:pop3-ZIP-message-body:YLPIa0vCR0SLSKFpBwllpOa6(fcase =no) [240] string-match:pop3-ZIP-message-body:OtrDt3FikercXwphogjIKWSF(fcase =no) [241] string-match:imap-name-message-header:price(fcase =yes) [242] string-match:imap-ZIP-message-body:YLPIa0vCR0SLSKFpBwllpOa6(fcase =no) [243] string-match:imap-ZIP-message-body:OtrDt3FikercXwphogjIKWSF(fcase =no) [244] unsigned-gt:imap-status-cmd-param-length:0xffffffff:128:no [245] string-match:ssh-req-text:a%a%a%a%a%(fcase =no) [246] unsigned-gt:netbios-ss-dcerpc-license-request-length:0xffffffff:1128:no [247] unsigned-gt:netbios-ss-dcerpc-license-host-length:0xffffffff:0x10:no [248] string-match:http-req-uri-path:dfire\.cgi$(fcase =yes) [249] string-match:http-req-uri-query-param-name:(ipinc|ipone)=|(fcase =yes) [250] string-match:http-req-uri-query-param-name:(ipinc|ipone)$(fcase =yes) [251] string-match:http-req-uri-query-param-value:(uname|/etc/|ls+)(fcase =yes) [252] unsigned-gt:smtp-mail-cmd-param-length:0xffffffff:128:no [253] string-match:http-req-uri-path:(/|\\)ccbill(/|\\)(fcase =yes) [254] string-match:http-req-uri-path:(/|\\)whereami\.cgi(fcase =yes) [255] string-match:pktsearch-req-text:\x13BitTorrent protoco(fcase =no) [256] string-match:pktsearch-rsp-text:\x13BitTorrent protoco(fcase =no) [257] string-match-ap:req-content-text:\x13BitTorrent protocol(fcase =no)(offset=0, depth=0) [258] string-match-ap:rsp-content-text:\x13BitTorrent protocol(fcase =no)(offset=0, depth=0) [259] string-match:http-req-content-type-header:application\/x-bittorrent(fcase =no) [260] string-match-ap:req-content-text:\x13BitTorrent protoco(fcase =no) [261] string-match-ap:rsp-content-text:\x13BitTorrent protoco(fcase =no) [262] string-match:ftp-pass-cmd-param:ddd@$(fcase =no) [263] string-match:http-req-user-agent-header:Webtrends Security Analyzer(fcase =no) [264] string-match:pop3-invalid-cmd-text:\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17(fcase =no) [265] string-match:pop3-invalid-cmd-text:\xff\xff/bin/sh\xaa\xaa\xaa\xaa(fcase =no) [266] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)TTYPROMPT(\x00|\x01)(fcase =yes) [267] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)TTYP\x02ROMPT(\x00|\x01)(fcase =yes) [268] string-match:tftp-rrq-filename:(passwd|shadow)(fcase =no) [269] string-match:tftp-rrq-filename:/etc/group(fcase =no) [270] string-match:tftp-rrq-filename:\.pwl(fcase =no) [271] string-match:tftp-rrq-filename:win\.ini(fcase =no) [272] string-match:smtp-EXE-message-body:F/oCfAmSCCMO+TpIdWouIwgU(fcase =no) [273] string-match:smtp-EXE-message-body:1hXdLOssdwIFMMBVrEjtAceL(fcase =no) [274] string-match:smtp-PIF-message-body:F/oCfAmSCCMO+TpIdWouIwgU(fcase =no) [275] string-match:smtp-PIF-message-body:1hXdLOssdwIFMMBVrEjtAceL(fcase =no) [276] string-match:smtp-subject-message-header:il account s(fcase =no) [277] string-match:smtp-subject-message-header:fy about usi(fcase =no) [278] string-match:smtp-subject-message-header:ing about yo(fcase =no) [279] string-match:smtp-subject-message-header:tant notify (fcase =no) [280] string-match:smtp-subject-message-header:fy about you(fcase =no) [281] string-match:smtp-subject-message-header:l account di(fcase =no) [282] string-match:smtp-message-body:password pro(fcase =no) [283] string-match:smtp-message-body:reasons. Pas(fcase =no) [284] string-match:smtp-message-body:following pa(fcase =no) [285] string-match:smtp-name-message-header:\.zip(fcase =yes) [286] string-match:pop3-EXE-message-body:F/oCfAmSCCMO+TpIdWouIwgU(fcase =no) [287] string-match:pop3-EXE-message-body:1hXdLOssdwIFMMBVrEjtAceL(fcase =no) [288] string-match:pop3-PIF-message-body:F/oCfAmSCCMO+TpIdWouIwgU(fcase =no) [289] string-match:pop3-PIF-message-body:1hXdLOssdwIFMMBVrEjtAceL(fcase =no) [290] string-match:pop3-subject-message-header:il account s(fcase =no) [291] string-match:pop3-subject-message-header:fy about usi(fcase =no) [292] string-match:pop3-subject-message-header:ing about yo(fcase =no) [293] string-match:pop3-subject-message-header:tant notify (fcase =no) [294] string-match:pop3-subject-message-header:fy about you(fcase =no) [295] string-match:pop3-subject-message-header:l account di(fcase =no) [296] string-match:pop3-message-body:password pro(fcase =no) [297] string-match:pop3-message-body:reasons. Pas(fcase =no) [298] string-match:pop3-message-body:following pa(fcase =no) [299] string-match:pop3-name-message-header:\.zip(fcase =yes) [300] string-match:imap-EXE-message-body:F/oCfAmSCCMO+TpIdWouIwgU(fcase =no) [301] string-match:imap-EXE-message-body:1hXdLOssdwIFMMBVrEjtAceL(fcase =no) [302] string-match:imap-PIF-message-body:F/oCfAmSCCMO+TpIdWouIwgU(fcase =no) [303] string-match:imap-PIF-message-body:1hXdLOssdwIFMMBVrEjtAceL(fcase =no) [304] string-match:imap-subject-message-header:il account s(fcase =no) [305] string-match:imap-subject-message-header:fy about usi(fcase =no) [306] string-match:imap-subject-message-header:ing about yo(fcase =no) [307] string-match:imap-subject-message-header:tant notify (fcase =no) [308] string-match:imap-subject-message-header:fy about you(fcase =no) [309] string-match:imap-subject-message-header:l account di(fcase =no) [310] string-match:imap-message-body:password pro(fcase =no) [311] string-match:imap-message-body:reasons. Pas(fcase =no) [312] string-match:imap-message-body:following pa(fcase =no) [313] string-match:imap-name-message-header:\.zip(fcase =yes) [314] numerical-eq:rpc-call-version:0xffffffff:1:no [315] numerical-eq:rpc-call-prognum:0xffffffff:100024:no [316] numerical-eq:rpc-call-procedure:0xffffffff:4:no [317] unsigned-gt:rpc-call-data-len:0xffffffff:1000:no [318] numerical-eq:tds-mssql-req-frag-counter:0xffffffff:2000:no [319] string-match:http-req-uri-path:\.idq$(fcase =yes) [320] string-match:http-req-uri-query-param-name:CiTemplate(fcase =yes) [321] string-match:http-req-uri-query-param-value:\.\./(fcase =no) [322] string-match:http-req-uri-path:(\\|/)AnyForm2(fcase =yes) [323] string-match:http-req-query-param-name:AnyFormTo(fcase =no) [324] string-match:http-req-query-param-value:;/(bin|usr/bin|sbin|usr/sbin)/(fcase =no) [325] numerical-eq:pktsearch-udp-src-port:0xffffffff:4000:no [326] unsigned-gt:pktsearch-req-pktlen:0xffffffff:612:no [327] string-match:pktsearch-req-text:^\x05\x00.....\x12\x02(fcase =no) [328] string-match:pktsearch-req-text:\x05\x00.....\x6e\x00(fcase =no) [329] string-match:pktsearch-req-text:\x05\x00.....\xde\x03(fcase =no) [330] string-match:pktsearch-req-text:\x31\xc0\x50\x50\x2d\x03\xbc\xfc\xff\xf7(fcase =no) [331] string-match:pktsearch-ciscoacs-req-text:^%%%%%XX%%%%%(fcase =no) [332] string-match:telnet-username-client-login:^4Dgifts$(fcase =no) [333] string-match:telnet-username-client-login:^lp$(fcase =no) [334] string-match:telnet-username-client-login:^tour$(fcase =no) [335] string-match:telnet-username-client-login:^tutor$(fcase =no) [336] string-match:telnet-username-client-login:^demos$(fcase =no) [337] string-match:telnet-username-client-login:^EZsetup$(fcase =no) [338] string-match:telnet-username-client-login:^OutOfBox$(fcase =no) [339] numerical-eq:http-error-code:0xffffffff:INVALID_AUTH_BASIC_BASE64:no [340] numerical-eq:http-dst-port:0xffffffff:901:no [341] string-match:smtp-CPL-message-body:+oNfsvE0YyAOO+zFKMVS5OvW(fcase =no) [342] string-match:smtp-CPL-message-body:EcgSNqofcGbj+lTm2dV0BnjL(fcase =no) [343] string-match:smtp-SCR-message-body:cbDWEOoL5XZsfwlIciEloPxx(fcase =no) [344] string-match:smtp-SCR-message-body:jP58PgsWsAArCNym2P2aO01B(fcase =no) [345] string-match:smtp-PIF-message-body:cbDWEOoL5XZsfwlIciEloPxx(fcase =no) [346] string-match:smtp-PIF-message-body:jP58PgsWsAArCNym2P2aO01B(fcase =no) [347] string-match:smtp-EXE-message-body:cbDWEOoL5XZsfwlIciEloPxx(fcase =no) [348] string-match:smtp-EXE-message-body:jP58PgsWsAArCNym2P2aO01B(fcase =no) [349] string-match:smtp-COM-message-body:cbDWEOoL5XZsfwlIciEloPxx(fcase =no) [350] string-match:smtp-COM-message-body:jP58PgsWsAArCNym2P2aO01B(fcase =no) [351] string-match:smtp-HTA-message-body:108,143,109,52,207,234,33,242,37,210,17,249,5(fcase =no) [352] string-match:smtp-VBS-message-body:108,143,109,52,207,234,33,242,37,210,17,249,5(fcase =no) [353] string-match:imap-CPL-message-body:+oNfsvE0YyAOO+zFKMVS5OvW(fcase =no) [354] string-match:imap-CPL-message-body:EcgSNqofcGbj+lTm2dV0BnjL(fcase =no) [355] string-match:imap-SCR-message-body:cbDWEOoL5XZsfwlIciEloPxx(fcase =no) [356] string-match:imap-SCR-message-body:jP58PgsWsAArCNym2P2aO01B(fcase =no) [357] string-match:imap-PIF-message-body:cbDWEOoL5XZsfwlIciEloPxx(fcase =no) [358] string-match:imap-PIF-message-body:jP58PgsWsAArCNym2P2aO01B(fcase =no) [359] string-match:imap-EXE-message-body:cbDWEOoL5XZsfwlIciEloPxx(fcase =no) [360] string-match:imap-EXE-message-body:jP58PgsWsAArCNym2P2aO01B(fcase =no) [361] string-match:imap-COM-message-body:cbDWEOoL5XZsfwlIciEloPxx(fcase =no) [362] string-match:imap-COM-message-body:jP58PgsWsAArCNym2P2aO01B(fcase =no) [363] string-match:imap-HTA-message-body:108,143,109,52,207,234,33,242,37,210,17,249,5(fcase =no) [364] string-match:imap-VBS-message-body:108,143,109,52,207,234,33,242,37,210,17,249,5(fcase =no) [365] string-match:pop3-CPL-message-body:+oNfsvE0YyAOO+zFKMVS5OvW(fcase =no) [366] string-match:pop3-CPL-message-body:EcgSNqofcGbj+lTm2dV0BnjL(fcase =no) [367] string-match:pop3-SCR-message-body:cbDWEOoL5XZsfwlIciEloPxx(fcase =no) [368] string-match:pop3-SCR-message-body:jP58PgsWsAArCNym2P2aO01B(fcase =no) [369] string-match:pop3-PIF-message-body:cbDWEOoL5XZsfwlIciEloPxx(fcase =no) [370] string-match:pop3-PIF-message-body:jP58PgsWsAArCNym2P2aO01B(fcase =no) [371] string-match:pop3-EXE-message-body:cbDWEOoL5XZsfwlIciEloPxx(fcase =no) [372] string-match:pop3-EXE-message-body:jP58PgsWsAArCNym2P2aO01B(fcase =no) [373] string-match:pop3-COM-message-body:cbDWEOoL5XZsfwlIciEloPxx(fcase =no) [374] string-match:pop3-COM-message-body:jP58PgsWsAArCNym2P2aO01B(fcase =no) [375] string-match:pop3-HTA-message-body:108,143,109,52,207,234,33,242,37,210,17,249,5(fcase =no) [376] string-match:pop3-VBS-message-body:108,143,109,52,207,234,33,242,37,210,17,249,5(fcase =no) [377] unsigned-gt:imap-auth-cmd-param-length:0xffffffff:1024:no [378] unsigned-gt:smtp-user-cmd-param-length:0xffffffff:2048:no [379] unsigned-gt:netbios-ns-name-len:0xffffffff:34:no [380] unsigned-gt:netbios-ns-rdata-nb-name-len:0xffffffff:34:no [381] string-match:http-req-uri-path:/whois(fcase =no) [382] string-match:http-req-query-params:whois=;(fcase =no) [383] string-match:http-req-query-params:whois=|(fcase =no) [384] string-match:http-req-query-params:;(id|uname|ls)(fcase =no) [385] string-match:http-req-query-params:/(etc|bin|usr|sbin)/(fcase =no) [386] numerical-eq:pktsearch-icq-counter:0xffffffff:2:no [387] string-match:pktsearch-req-text:|%20)/(fcase =yes) [1388] string-match:http-req-uri-path:\.jsp(fcase =yes) [1389] unsigned-gt:smtp-send-cmd-param-length:0xffffffff:1024:no [1390] numerical-eq:smtp-command-name:0xffffffff:21:no [1391] string-match:smtp-rcpt-cmd-param:|sed -e '1,/\^\$/'(fcase =no) [1392] numerical-eq:smtp-server-type:0xffffffff:1:yes [1393] string-match:pktsearch-req-text:^//Message1(fcase =no) [1394] string-match:http-before-request-method:^//Message1(fcase =no) [1395] numerical-eq:h225-error-code:0xffffffff:DestinationURLLengthAnomaly:no [1396] string-match:ftp-cmd-param: ~(fcase =no) [1397] string-match:ftp-cmd-param:{[\r\n](fcase =no) [1398] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00s\x00p\x00r\x00i\x00n\x00t\x00f(fcase =yes) [1399] string-match:tds-mssql-client-query-payload:r\x00a\x00i\x00s\x00e\x00r\x00r\x00o\x00r(fcase =yes) [1400] string-match:tds-mssql-client-query-payload:f\x00o\x00r\x00m\x00a\x00t\x00m\x00e\x00s\x00s\x00a\x00g\x00e(fcase =yes) [1401] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00s\x00p\x00r\x00i\x00n\x00t\x00f(fcase =yes) [1402] string-match:netbios-ss-tds-client-query-payload:r\x00a\x00i\x00s\x00e\x00r\x00r\x00o\x00r(fcase =yes) [1403] string-match:netbios-ss-tds-client-query-payload:f\x00o\x00r\x00m\x00a\x00t\x00m\x00e\x00s\x00s\x00a\x00g\x00e(fcase =yes) [1404] unsigned-gt:tns-req-fromtz-param-text-len:0xffffffff:128:no [1405] unsigned-gt:tns-req-timezone-param-text-len:0xffffffff:128:no [1406] unsigned-gt:tns-req-numtointerval-param-text-len:0xffffffff:128:no [1407] string-match:smtp-PIF-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1408] string-match:smtp-PIF-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1409] string-match:smtp-SCR-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1410] string-match:smtp-SCR-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1411] string-match:smtp-EXE-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1412] string-match:smtp-EXE-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1413] string-match:smtp-BAT-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1414] string-match:smtp-BAT-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1415] string-match:smtp-COM-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1416] string-match:smtp-COM-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1417] string-match:smtp-CPL-message-body:EIbjpu0CPKsz/kTm8G3ihH5J(fcase =no) [1418] string-match:smtp-CPL-message-body:GNAXse1Cu3Dmal1FF/jI0G0T(fcase =no) [1419] string-match:pop3-PIF-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1420] string-match:pop3-PIF-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1421] string-match:pop3-SCR-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1422] string-match:pop3-SCR-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1423] string-match:pop3-EXE-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1424] string-match:pop3-EXE-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1425] string-match:pop3-BAT-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1426] string-match:pop3-BAT-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1427] string-match:pop3-COM-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1428] string-match:pop3-COM-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1429] string-match:pop3-CPL-message-body:EIbjpu0CPKsz/kTm8G3ihH5J(fcase =no) [1430] string-match:pop3-CPL-message-body:GNAXse1Cu3Dmal1FF/jI0G0T(fcase =no) [1431] string-match:imap-PIF-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1432] string-match:imap-PIF-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1433] string-match:imap-SCR-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1434] string-match:imap-SCR-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1435] string-match:imap-EXE-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1436] string-match:imap-EXE-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1437] string-match:imap-BAT-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1438] string-match:imap-BAT-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1439] string-match:imap-COM-message-body:J33iKoaA5cbJttB3GBUnzebK(fcase =no) [1440] string-match:imap-COM-message-body:VjoxeT8RI2OeJ2b0G19GjQcD(fcase =no) [1441] string-match:imap-CPL-message-body:EIbjpu0CPKsz/kTm8G3ihH5J(fcase =no) [1442] string-match:imap-CPL-message-body:GNAXse1Cu3Dmal1FF/jI0G0T(fcase =no) [1443] string-match:pktsearch-rsp-text:^1\.[24]5\x0d(fcase =no) [1444] string-match:pktsearch-rsp-text:^R3C Server v1(fcase =no) [1445] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:9870:no [1446] string-match:http-req-uri-path:\.cfm$(fcase =yes) [1447] string-match:http-req-uri-path:\.jsp$(fcase =yes) [1448] unsigned-gt:http-req-uri-path-length:0xffffffff:4096:no [1449] string-match:http-req-uri-path:\.ns4(fcase =yes) [1450] string-match:http-req-uri-path:\.box(fcase =yes) [1451] string-match:http-req-uri-path:\.\.(\\|/)(fcase =no) [1452] string-match:http-before-request-method:^INDEX /(fcase =yes) [1453] numerical-eq:http-rsp-server-type:0xffffffff:3:yes [1454] numerical-eq:rpc-call-procedure:0xffffffff:21:no [1455] string-match:rpc-call-data:@foobar(fcase =no) [1456] string-match:pktsearch-req-text:\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xe4\x00\x00\x00\x04\x00\x00\x00\x15(fcase =no) [1457] string-match:pktsearch-req-text:@foobar(fcase =no) [1458] string-match:rpc-call-data:\x91\xd0\x20\x08\x2f\x62\x69\x6e\x2f\x6b\x73\x68(fcase =no) [1459] string-match:pktsearch-req-text:\x91\xd0\x20\x08\x2f\x62\x69\x6e\x2f\x6b\x73\x68(fcase =no) [1460] numerical-eq:icmp-echo-reply-id:0xffffffff:666:no [1461] numerical-eq:icmp-echo-reply-id:0xffffffff:6666:no [1462] string-match:icmp-echo-reply-payload:skillz(fcase =no) [1463] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00o\x00l\x00e\x00d\x00b\x00i\x00n\x00f\x00o\x00 (fcase =yes) [1464] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00o\x00l\x00e\x00d\x00b\x00i\x00n\x00f\x00o\x00 (fcase =yes) [1465] string-match:http-req-uri-path:^(/)?pls/(fcase =no) [1466] string-match:http-req-uri-path:owa_util\.signature(fcase =no) [1467] string-match:http-req-uri-path:owa_util\.showsource(fcase =no) [1468] string-match:http-req-uri-path:owa_util\.cellsprint(fcase =no) [1469] string-match:http-req-uri-path:owa_util\.listprint(fcase =no) [1470] string-match:http-req-uri-path:owa_util\.show_query_columns(fcase =no) [1471] unsigned-gt:http-req-user-agent-header-length:0xffffffff:200:no [1472] string-match:http-req-uri-path:cgitest\.exe(fcase =yes) [1473] numerical-eq:telnet-iac-in-client-login-counter:0xffffffff:1:no [1474] string-match:http-post-req-uri-path:/content\.hts(fcase =yes) [1475] string-match:http-req-message-body-query-param-value:Httpd:ExecuteFile\((fcase =yes) [1476] string-match:http-req-message-body-query-param-value:inetd(fcase =yes) [1477] string-match:http-req-message-body-query-param-value:cmd\.exe(fcase =yes) [1478] string-match:http-post-req-uri-path:\.asp(fcase =yes) [1479] string-match:http-req-uri-path:(\\|/)(changepw|redirect)\.exe$(fcase =yes) [1480] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:1026:no [1481] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:1025:no [1482] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:10887:no [1483] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:31887:no [1484] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:32000:no [1485] string-match:pktsearch-rsp-text:^ER 0\r\n(fcase =no) [1486] string-match:pktsearch-req-text:^HASL (fcase =no) [1487] string-match:http-post-req-uri-path:/cart.(cgi|pl)(fcase =no) [1488] string-match:http-post-req-message-body:3fdj939jf(fcase =no) [1489] string-match:http-post-req-uri-query-param-name:3fdj939jf(fcase =no) [1490] unsigned-gt:ftp-site-cmd-param-length:0xffffffff:256:no [1491] string-match:ftp-site-cmd-param:CPWD(fcase =yes) [1492] string-match:http-req-uri-path:web-inf/config\.xml(fcase =no) [1493] string-match:http-req-uri-path:/server-info(fcase =no) [1494] string-match:http-req-uri-path:/oprocmgr-status(fcase =no) [1495] string-match:http-req-uri-path:onlineorders_html/main\.jsp(fcase =no) [1496] numerical-eq:snmp-msg-head-length-of-length:0xffffffff:0:no [1497] numerical-eq:snmp-version-length-of-length:0xffffffff:0:no [1498] numerical-eq:snmp-community-string-length-of-length:0xffffffff:0:no [1499] numerical-eq:snmp-pdu-head-length-of-length:0xffffffff:0:no [1500] numerical-eq:snmp-varbindlist-length-of-length:0xffffffff:0:no [1501] numerical-eq:snmp-varbind-length-of-length:0xffffffff:0:no [1502] numerical-eq:snmp-varbind-object-id-length-of-length:0xffffffff:0:no [1503] numerical-eq:snmp-varbind-value-length-of-length:0xffffffff:0:no [1504] numerical-eq:pktsearch-edonkey-counter:0xffffffff:1:no [1505] numerical-eq:pktsearch-req-pktlen:0xffffffff:6:no [1506] string-match-ap:req-content-text:(\xE3|\xC5|\xD4).\x00\x00\x00\x01(fcase =no)(offset=0, depth=0) [1507] string-match-ap:rsp-content-text:(\xE3|\xC5|\xD4).\x00\x00\x00(fcase =no)(offset=0, depth=0) [1508] string-match:smtp-PIF-message-body:FoCG/gZoFZhlF5XX7uHXzFmQ(fcase =no) [1509] string-match:smtp-PIF-message-body:sqYnn2wedsfuOyNW6OwpyPh1(fcase =no) [1510] string-match:smtp-EXE-message-body:FoCG/gZoFZhlF5XX7uHXzFmQ(fcase =no) [1511] string-match:smtp-EXE-message-body:sqYnn2wedsfuOyNW6OwpyPh1(fcase =no) [1512] string-match:pop3-PIF-message-body:FoCG/gZoFZhlF5XX7uHXzFmQ(fcase =no) [1513] string-match:pop3-PIF-message-body:sqYnn2wedsfuOyNW6OwpyPh1(fcase =no) [1514] string-match:pop3-EXE-message-body:FoCG/gZoFZhlF5XX7uHXzFmQ(fcase =no) [1515] string-match:pop3-EXE-message-body:sqYnn2wedsfuOyNW6OwpyPh1(fcase =no) [1516] string-match:imap-PIF-message-body:FoCG/gZoFZhlF5XX7uHXzFmQ(fcase =no) [1517] string-match:imap-PIF-message-body:sqYnn2wedsfuOyNW6OwpyPh1(fcase =no) [1518] string-match:imap-EXE-message-body:FoCG/gZoFZhlF5XX7uHXzFmQ(fcase =no) [1519] string-match:imap-EXE-message-body:sqYnn2wedsfuOyNW6OwpyPh1(fcase =no) [1520] string-match:telnet-client-data-text:\xFF\xFB\x18\xFF\xFC\x20\xFF\xFC\x23\xFF\xFC\x24(fcase =no) [1521] string-match:telnet-client-data-text:\xFF\xFD\x03\xFF\xFB\x01\xFF\xFC\x1F\xFF\xFE\x05\xFF\xFC\x21(fcase =no) [1522] string-match:telnet-client-data-text:\x90\x90\x90\x90\x90\x90\xEB\xFE\x90\x90\x90\x90\x90\x90\x90\x90(fcase =no) [1523] string-match:telnet-client-data-text:\x90\x90\x90\x90\x90\x90\x90\x90\x59\xF6\x12(fcase =no) [1524] numerical-eq:http-error-code:0xffffffff:11:no [1525] string-match:http-req-uri-path:phpBB2(\\|/)(fcase =yes) [1526] string-match:http-req-uri-path:(\\|/)db\.php(fcase =yes) [1527] string-match:http-req-uri-query-param-name:phpbb_root_path(fcase =yes) [1528] string-match:http-req-uri-path:/AdvancedDataFactory\.Query(fcase =yes) [1529] string-match:http-post-req-message-body:\r\ncontent-type:(fcase =yes) [1530] string-match:http-req-uri:wp-(cs-dump|ver-info|html-rend|usr-prop|ver-diff|verify-link|start-ver|stop-ver|uncheckout)(fcase =yes) [1531] unsigned-gt:snmp-trap-generic-code:0xffffffff:6:no [1532] unsigned-gt:telnet-username-client-login-length:0xffffffff:256:no [1533] unsigned-gt:telnet-username-client-login-length:0xffffffff:512:no [1534] string-match:telnet-server-data-text:Windows Telnet Server Version 1.0(fcase =no) [1535] string-match:http-req-uri-path://welcome\.jsp(fcase =yes) [1536] unsigned-in-range:wins-later-req-msg-len:0xffffffff:1500:0x2f8701::no [1537] numerical-eq:wins-later-req-cmd:0x7800:0x7800:no [1538] unsigned-gt:wins-later-req-pointer:0xffffffff:0xFFFF:no [1539] unsigned-gt:wins-later-dword5:0xffffffff:0x1FFFF:no [1540] unsigned-in-range:wins-first-req-msg-len:0xffffffff:0:0x2f8701::no [1541] numerical-eq:wins-first-req-cmd:0x7800:0x7800:no [1542] unsigned-gt:wins-first-req-pointer:0xffffffff:0:no [1543] numerical-eq:wins-later-dword5:0xFF:0x6:no [1544] unsigned-gt:wins-later-dword6:0xffffffff:276:no [1545] numerical-eq:ssl-renegotiation-flag:0xffffffff:client-negotiation:no [1546] string-match:pktsearch-req-text:^NSClient-(fcase =no) [1547] string-match:pktsearch-rsp-text:^NSServer-(fcase =no) [1548] string-match:pktsearch-req-text:^GETPW(fcase =no) [1549] string-match:pktsearch-req-text:^ABCJZ(fcase =no) [1550] string-match:pktsearch-req-text:^WINDIR(fcase =no) [1551] string-match:pktsearch-req-text:^SYSDIR(fcase =no) [1552] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:22222:no [1553] numerical-eq:pktsearch-msn-counter:0xffffffff:2:no [1554] string-match-ap:req-content-text:VER (.|..|...) MSNP(fcase =no)(offset=0, depth=0) [1555] string-match-ap:rsp-content-text:VER (.|..|...) MSNP(fcase =no)(offset=0, depth=0) [1556] string-match:http-req-uri-path:gateway[/\\]gateway\.dll$(fcase =no) [1557] string-match:http-req-host-header:gateway\.messenger\.hotmail\.com(fcase =no) [1558] string-match:http-req-message-body:VER (.|..|...) MSNP(fcase =no) [1559] string-match:http-post-req-uri-path:uilogin\.srf(fcase =no) [1560] string-match:http-post-req-uri-query-param-name:id(fcase =yes) [1561] string-match:http-post-req-uri-query-param-value:45940(fcase =no) [1562] string-match:tns-req-connect-data-text:\(DESCRIPTION(fcase =yes) [1563] string-match:tns-req-connect-data-text:\(COMMAND=dbsnmp_start\)(fcase =yes) [1564] string-match:tns-req-connect-data-text:COMMAND=dbsnmp_stop\)(fcase =yes) [1565] string-match:http-req-uri-path:(\\|/)admin\.php3(fcase =no) [1566] string-match:http-req-uri-query-param-name:step(fcase =no) [1567] string-match:http-req-uri-query-param-name:option(fcase =no) [1568] string-match:http-req-uri-query-param-value:pass(fcase =no) [1569] string-match:http-req-uri-query-param-name:confirm(fcase =no) [1570] string-match:http-req-uri-query-param-name:newPssword(fcase =no) [1571] string-match:snmp-request-community-string-field:^private$(fcase =yes) [1572] string-match:snmp-request-community-string-field:^read$(fcase =yes) [1573] string-match:snmp-request-community-string-field:^write$(fcase =yes) [1574] string-match:snmp-request-community-string-field:^all private$(fcase =yes) [1575] string-match:snmp-request-community-string-field:^monitor$(fcase =yes) [1576] string-match:snmp-request-community-string-field:^manager$(fcase =yes) [1577] string-match:snmp-request-community-string-field:^security$(fcase =yes) [1578] string-match:snmp-request-community-string-field:^origequipmfr$(fcase =yes) [1579] string-match:snmp-request-community-string-field:^secret code$(fcase =yes) [1580] string-match:snmp-request-community-string-field:^admin$(fcase =yes) [1581] string-match:snmp-request-community-string-field:^default$(fcase =yes) [1582] string-match:snmp-request-community-string-field:^password$(fcase =yes) [1583] string-match:snmp-request-community-string-field:^tivoli$(fcase =yes) [1584] string-match:snmp-request-community-string-field:^openview$(fcase =yes) [1585] string-match:snmp-request-community-string-field:^community$(fcase =yes) [1586] string-match:snmp-request-community-string-field:^snmp$(fcase =yes) [1587] string-match:snmp-request-community-string-field:^snmpd$(fcase =yes) [1588] string-match:snmp-request-community-string-field:^system$(fcase =yes) [1589] string-match:snmp-request-community-string-field:^gate$(fcase =yes) [1590] numerical-eq:snmp-msg-type:0xffffffff:4:no [1591] string-match:snmp-varbind-object-id-field:^\x2b\x06\x01(fcase =no) [1592] string-match:snmp-varbind-object-id-field:^\x2b\x80\x06\x80\x01(fcase =no) [1593] string-match:snmp-varbind-object-id-field:\x80\x80\x06\x80\x80(fcase =no) [1594] unsigned-gt:nntp-server-list-param-length:0xffffffff:14:no [1595] string-match:http-req-uri-path:Carello(/|\\)add\.exe(fcase =yes) [1596] string-match:http-req-uri-query-params:[abcdefghi]:\\(fcase =yes) [1597] unsigned-gt:finger-redirect-counter:0xffffffff:1:no [1598] string-match:finger-client-data-text:@@(fcase =no) [1599] unsigned-gt:rtsp-req-uri-len:0xffffffff:4000:no [1600] string-match:rtsp-req-transport-header-text:THCr0x!(fcase =no) [1601] unsigned-gt:rtsp-req-uri-len:0xffffffff:4096:no [1602] unsigned-gt:rtsp-req-uri-len:0xffffffff:1024:no [1603] string-match:ftp-list-cmd-param:%u%u%u%u%[0-9](fcase =no) [1604] string-match:ftp-list-cmd-param:u%n(fcase =no) [1605] string-match:http-req-uri-path:\x0a\xf7\x02\x97(fcase =no) [1606] string-match:http-req-uri-path:\x0b\x18\x02\x98(fcase =no) [1607] string-match:http-req-uri-path:\x0b\x39\x02\x99(fcase =no) [1608] string-match:http-req-uri-path:\x0b\x5a\x02\x9a(fcase =no) [1609] string-match:http-req-uri-path:\x20\x20\x08\x01(fcase =no) [1610] string-match:http-req-uri-path:\xe4\x20\xe0\x08(fcase =no) [1611] string-match:http-req-uri-path:\x24\x02\x04\x53(fcase =no) [1612] string-match:http-req-uri-path:\x24\x02\x03\xf3(fcase =no) [1613] string-match:http-req-uri-path:\x24\x02\x04\x25(fcase =no) [1614] string-match:http-req-uri-path:\x24\x02\x03\xee(fcase =no) [1615] string-match:http-req-uri-path:\x24\x02\x03\xeb(fcase =no) [1616] string-match:http-req-uri-path:\x03\xff\xff\xcc(fcase =no) [1617] string-match:http-req-uri-path:\x02..\x0c(fcase =no) [1618] string-match:http-req-uri-path:\x01\x01\x01\x0c(fcase =no) [1619] string-match:http-req-uri-path:\x13\x74\xf0\x47(fcase =no) [1620] string-match:http-req-uri-path:\x12\x74\xf0\x47(fcase =no) [1621] string-match:http-req-uri-path:\x11\x74\xf0\x47(fcase =no) [1622] string-match:http-req-uri-path:/bin/sh(fcase =no) [1623] string-match:http-req-uri-path:\xff\xff\xff\xed\xff\x1f\xd2/bin(fcase =no) [1624] string-match:http-req-uri-path:\xff\x7e\xb2\x13\x94\xe7\x43\x20\x35\x60\x42(fcase =no) [1625] string-match:http-req-uri-path:h....X5....H..PP..PPa(fcase =no) [1626] string-match:http-req-uri-path:PQX-....-....-....PQX(fcase =no) [1627] string-match:http-req-uri-path:PQX-....-....PQX(fcase =no) [1628] string-match:http-req-uri-path:\x80\x30.\x40\xe2\xfa(fcase =no) [1629] string-match:http-req-uri-path:\xac\x34.\xaa\xe2\xfa(fcase =no) [1630] string-match:http-req-uri-path:\x2C\x61\x90\x50\x59\x66\xAD\x90(fcase =no) [1631] string-match:http-req-uri-path:\xac\x2c.\xaa\xe2\xf5(fcase =no) [1632] string-match:http-req-uri-path:\x9a\xff\xff\xff\xff\x07\xff(fcase =no) [1633] string-match:http-req-uri-path:\xaa\x10\x10\x10\x10\x17\x10(fcase =no) [1634] string-match:http-req-uri-path:\x9a\x01\x02\x03\x5c\x07\x04(fcase =no) [1635] string-match:http-req-uri-path:\x9a\x04\x04\x04\x04\x07\x04(fcase =no) [1636] string-match:http-req-uri-path:\x9a\x24\x24\x24\x24\x07\x24(fcase =no) [1637] string-match:http-req-uri-path:cgi-bin(fcase =no) [1638] string-match:http-req-uri-path:(\\|/)rpm_query(fcase =no) [1639] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)LD_LIBRARY_PATH(\x00|\x01)\x2f(fcase =yes) [1640] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)LD_LIBRARY_PATH(fcase =yes) [1641] unsigned-gt:telnet-client-environ-sb-param-length:0xffffffff:512:no [1642] string-match:pktsearch-openview-req-text:\x00\x20\x30\x00\x20\x30\x00\x20\x30\x00\x20(fcase =no) [1643] string-match:pktsearch-openview-req-text:28\x00/\.\./\.\./\.\./bin/sh\x00\x00dig(fcase =no) [1644] unsigned-gt:imap-proxy-cmd-param-length:0xffffffff:128:no [1645] string-match:http-req-uri-path:mall_log_files(/|\\)order\.log$(fcase =yes) [1646] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:63536:no [1647] string-match:pktsearch-rsp-text:^Insane Network vs [45]\.0 by Suid Flow(fcase =no) [1648] string-match:ssl-tbs-issuer-msg-sfield:\x84(\xFF\xFF\xFF\xFD|\xFF\xFF\xFF\xFE|\xFF\xFF\xFF\xFF)(fcase =no) [1649] string-match:ssl-tbs-subject-msg-sfield:\x84(\xFF\xFF\xFF\xFD|\xFF\xFF\xFF\xFE|\xFF\xFF\xFF\xFF)(fcase =no) [1650] string-match:ssl-tbs-exts-item-value-msg-sfield:\x84(\xFF\xFF\xFF\xFD|\xFF\xFF\xFF\xFE|\xFF\xFF\xFF\xFF)(fcase =no) [1651] string-match:ssl-tbs-sig-param-msg-sfield:\x84(\xFF\xFF\xFF\xFD|\xFF\xFF\xFF\xFE|\xFF\xFF\xFF\xFF)(fcase =no) [1652] string-match:ssl-tbs-pkinf-algid-param-msg-sfield:\x84(\xFF\xFF\xFF\xFD|\xFF\xFF\xFF\xFE|\xFF\xFF\xFF\xFF)(fcase =no) [1653] string-match:ssl-sigalg-param-msg-sfield:\x84(\xFF\xFF\xFF\xFD|\xFF\xFF\xFF\xFE|\xFF\xFF\xFF\xFF)(fcase =no) [1654] string-match:pktsearch-rsp-text:^--Ahhhhhhhhhh My Mouth Is Open(fcase =no) [1655] string-match:pktsearch-rsp-text:- Ahhhhh My Mouth Is Open \(v2\)(fcase =no) [1656] string-match:pktsearch-rsp-text:- Ahhhhh My Mouth Is Open \(v3\.0\)(fcase =no) [1657] string-match:pktsearch-rsp-text:- Ahhhh My Mouth Is Open \(v3\.1\)(fcase =no) [1658] string-match:ftp-site-cmd-param:EXEC(fcase =yes) [1659] string-match:ftp-site-cmd-param:\.\./\.\./(fcase =no) [1660] string-match:ftp-site-cmd-param:--use-compress-program(fcase =no) [1661] string-match:ftp-site-cmd-param:--rsh-command(fcase =no) [1662] string-match:ftp-site-cmd-param:--info-script(fcase =no) [1663] string-match:ftp-site-cmd-param:--new-volume-script(fcase =no) [1664] unsigned-gt:http-req-uri-query-params-length:0xffffffff:2002:no [1665] string-match:http-req-uri-path:dvwssr\.dll$(fcase =yes) [1666] unsigned-gt:pop3-login-fail-counter:0xffffffff:0:no [1667] string-match:smtp-CMD-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1668] string-match:smtp-CMD-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1669] string-match:smtp-PIF-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1670] string-match:smtp-PIF-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1671] string-match:smtp-BAT-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1672] string-match:smtp-BAT-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1673] string-match:smtp-COM-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1674] string-match:smtp-COM-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1675] string-match:smtp-ZIP-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1676] string-match:smtp-ZIP-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1677] string-match:smtp-ZIP-message-body:DzB3S4c4esNidPfURLxvWOU6(fcase =no) [1678] string-match:smtp-ZIP-message-body:VQEvMzJaSTDzYE6cTDVZRztK(fcase =no) [1679] string-match:smtp-ZIP-message-body:MHdLhzh6w2J099REvG9Y5TpV(fcase =no) [1680] string-match:smtp-ZIP-message-body:AS8zMlpJMPNgTpxMNVlHO0p3(fcase =no) [1681] string-match:pop3-CMD-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1682] string-match:pop3-CMD-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1683] string-match:pop3-PIF-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1684] string-match:pop3-PIF-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1685] string-match:pop3-BAT-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1686] string-match:pop3-BAT-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1687] string-match:pop3-COM-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1688] string-match:pop3-COM-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1689] string-match:pop3-ZIP-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1690] string-match:pop3-ZIP-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1691] string-match:pop3-ZIP-message-body:DzB3S4c4esNidPfURLxvWOU6(fcase =no) [1692] string-match:pop3-ZIP-message-body:VQEvMzJaSTDzYE6cTDVZRztK(fcase =no) [1693] string-match:pop3-ZIP-message-body:MHdLhzh6w2J099REvG9Y5TpV(fcase =no) [1694] string-match:pop3-ZIP-message-body:AS8zMlpJMPNgTpxMNVlHO0p3(fcase =no) [1695] string-match:imap-CMD-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1696] string-match:imap-CMD-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1697] string-match:imap-PIF-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1698] string-match:imap-PIF-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1699] string-match:imap-BAT-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1700] string-match:imap-BAT-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1701] string-match:imap-COM-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1702] string-match:imap-COM-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1703] string-match:imap-ZIP-message-body:SQ8wd0uHOHrDYnT31ES8b1jl(fcase =no) [1704] string-match:imap-ZIP-message-body:OlUBLzMyWkkw82BOnEw1WUc7(fcase =no) [1705] string-match:imap-ZIP-message-body:DzB3S4c4esNidPfURLxvWOU6(fcase =no) [1706] string-match:imap-ZIP-message-body:VQEvMzJaSTDzYE6cTDVZRztK(fcase =no) [1707] string-match:imap-ZIP-message-body:MHdLhzh6w2J099REvG9Y5TpV(fcase =no) [1708] string-match:imap-ZIP-message-body:AS8zMlpJMPNgTpxMNVlHO0p3(fcase =no) [1709] unsigned-gt:imap-login-fail-counter:0xffffffff:0:no [1710] string-match:http-req-uri-path:(/|\\)\.bash_history(fcase =no) [1711] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:30700:no [1712] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:3723:no [1713] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:37237:no [1714] numerical-eq:pktsearch-rsp-1st-4b:0xffffffff:0x6d73673a:no [1715] string-match:ftp-stor-cmd-param:--use-compress-program(fcase =no) [1716] string-match:ftp-retr-cmd-param:--use-compress-program(fcase =no) [1717] string-match:http-req-uri-path:/ctguestb\.idc$(fcase =yes) [1718] string-match:http-req-uri-path:/details\.idc$(fcase =yes) [1719] string-match:http-req-uri-path:/scripts/(fcase =yes) [1720] string-match:http-req-uri-path:\\ctguestb\.idc$(fcase =yes) [1721] string-match:http-req-uri-path:\\details\.idc$(fcase =yes) [1722] string-match:http-req-uri-path:\\scripts\\(fcase =yes) [1723] string-match:http-req-uri-path:(\\|/)advworks(fcase =yes) [1724] string-match:http-req-uri-path:(\\|/)equipment(fcase =yes) [1725] string-match:http-req-uri-path:(\\|/)catalog_type\.asp$(fcase =yes) [1726] string-match:rexec-username-client-login:^root[\r\n](fcase =no) [1727] string-match:rexec-client-handshake-serveruser-text:^root$(fcase =no) [1728] numerical-eq:snmp-msg-type:0xffffffff:5:no [1729] numerical-eq:snmp-msg-type:0xffffffff:8:no [1730] numerical-eq:snmp-msg-type:0xffffffff:9:no [1731] unsigned-gt:snmp-octestring-msg-qllength:0xffffffff:305:no [1732] string-match:http-req-uri-path:/changedisplay\.pl(fcase =yes) [1733] string-match:http-req-uri-query-params:'Administrator'(fcase =yes) [1734] numerical-eq:pktsearch-dst-port:0xffffffff:16661:no [1735] numerical-eq:pktsearch-dst-port:0xffffffff:19991:no [1736] string-match:pktsearch-req-text:^001(fcase =no) [1737] string-match:pktsearch-req-text:^085(fcase =no) [1738] string-match:pktsearch-rsp-text:^001(fcase =no) [1739] string-match:pktsearch-rsp-text:^085(fcase =no) [1740] string-match:http-req-uri-path:(\\|/)htmlscript$(fcase =yes) [1741] string-match:pktsearch-trin00-m2d-req-text:l44adsl(fcase =no) [1742] string-match:pktsearch-trin00-m2d-req-text:\[\]\.\.Ks(fcase =no) [1743] string-match:smtp-EXE-message-body:NoUeIK5ltb1aGa9mJlwTCaBR(fcase =no) [1744] string-match:smtp-EXE-message-body:2Fd5UmcdEyObQfwKTRv8VRAa(fcase =no) [1745] string-match:pop3-EXE-message-body:NoUeIK5ltb1aGa9mJlwTCaBR(fcase =no) [1746] string-match:pop3-EXE-message-body:2Fd5UmcdEyObQfwKTRv8VRAa(fcase =no) [1747] string-match:imap-EXE-message-body:NoUeIK5ltb1aGa9mJlwTCaBR(fcase =no) [1748] string-match:imap-EXE-message-body:2Fd5UmcdEyObQfwKTRv8VRAa(fcase =no) [1749] string-match:dhcp-req-sf-client-full-name-option:%(n|hn)%(fcase =no) [1750] unsigned-gt:dhcp-req-cf-client-full-name-option-len:0xffffffff:127:no [1751] string-match:imap-cmd-param:\x0a\xf7\x02\x97(fcase =no) [1752] string-match:imap-cmd-param:\x0b\x18\x02\x98(fcase =no) [1753] string-match:imap-cmd-param:\x0b\x39\x02\x99(fcase =no) [1754] string-match:imap-cmd-param:\x0b\x5a\x02\x9a(fcase =no) [1755] string-match:imap-cmd-param:\x20\x20\x08\x01(fcase =no) [1756] string-match:imap-cmd-param:\xe4\x20\xe0\x08(fcase =no) [1757] string-match:imap-cmd-param:\x24\x02\x04\x53(fcase =no) [1758] string-match:imap-cmd-param:\x24\x02\x03\xf3(fcase =no) [1759] string-match:imap-cmd-param:\x24\x02\x04\x25(fcase =no) [1760] string-match:imap-cmd-param:\x24\x02\x03\xee(fcase =no) [1761] string-match:imap-cmd-param:\x24\x02\x03\xeb(fcase =no) [1762] string-match:imap-cmd-param:\x03\xff\xff\xcc(fcase =no) [1763] string-match:imap-cmd-param:\x02..\x0c(fcase =no) [1764] string-match:imap-cmd-param:\x01\x01\x01\x0c(fcase =no) [1765] string-match:imap-cmd-param:\x13\x74\xf0\x47(fcase =no) [1766] string-match:imap-cmd-param:\x12\x74\xf0\x47(fcase =no) [1767] string-match:imap-cmd-param:\x11\x74\xf0\x47(fcase =no) [1768] string-match:imap-cmd-param:/bin/sh(fcase =no) [1769] string-match:imap-cmd-param:\xff\xff\xff\xed\xff\x1f\xd2/bin(fcase =no) [1770] string-match:imap-cmd-param:\xff\x7e\xb2\x13\x94\xe7\x43\x20\x35\x60\x42(fcase =no) [1771] string-match:imap-cmd-param:h....X5....H..PP..PPa(fcase =no) [1772] string-match:imap-cmd-param:\x80\x30.\x40\xe2\xfa(fcase =no) [1773] string-match:imap-cmd-param:\xac\x34.\xaa\xe2\xfa(fcase =no) [1774] string-match:imap-cmd-param:\x2C\x61\x90\x50\x59\x66\xAD\x90(fcase =no) [1775] string-match:imap-cmd-param:\xac\x2c.\xaa\xe2\xf5(fcase =no) [1776] string-match:imap-cmd-param:\x9a\xff\xff\xff\xff\x07\xff(fcase =no) [1777] string-match:imap-cmd-param:\xaa\x10\x10\x10\x10\x17\x10(fcase =no) [1778] string-match:imap-cmd-param:\x9a\x01\x02\x03\x5c\x07\x04(fcase =no) [1779] string-match:imap-cmd-param:\x9a\x04\x04\x04\x04\x07\x04(fcase =no) [1780] string-match:imap-cmd-param:\x9a\x24\x24\x24\x24\x07\x24(fcase =no) [1781] unsigned-gt:smtp-date-message-header-length:0xffffffff:140:no [1782] unsigned-gt:smtp-date-message-header-length:0xffffffff:70:no [1783] string-match:smtp-message-body:\x00shell32\.dll\x00(fcase =no) [1784] string-match:http-req-uri-path:/search\.php(fcase =yes) [1785] string-match:http-req-uri-query-param-name:search_id(fcase =yes) [1786] string-match:http-req-uri-query-param-value:select (fcase =yes) [1787] string-match:http-req-uri-query-param-value: from (fcase =yes) [1788] numerical-eq:pktsearch-req-1st-4b:0xFFFFFF00:0x633A5C00:no [1789] numerical-eq:pktsearch-req-1st-4b:0xFFFFFF00:0x433A5D00:no [1790] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:4567:no [1791] numerical-eq:h225-error-code:0xffffffff:SourceAddressE164LengthAnomaly:no [1792] string-match:http-req-uri-path:/cgi-win(fcase =yes) [1793] string-match:http-req-uri-path:(\\|/)uploader\.exe$(fcase =yes) [1794] string-match:pop3-cmd-param:\x0a\xf7\x02\x97(fcase =no) [1795] string-match:pop3-cmd-param:\x0b\x18\x02\x98(fcase =no) [1796] string-match:pop3-cmd-param:\x0b\x39\x02\x99(fcase =no) [1797] string-match:pop3-cmd-param:\x0b\x5a\x02\x9a(fcase =no) [1798] string-match:pop3-cmd-param:\x20\x20\x08\x01(fcase =no) [1799] string-match:pop3-cmd-param:\xe4\x20\xe0\x08(fcase =no) [1800] string-match:pop3-cmd-param:\x24\x02\x04\x53(fcase =no) [1801] string-match:pop3-cmd-param:\x24\x02\x03\xf3(fcase =no) [1802] string-match:pop3-cmd-param:\x24\x02\x04\x25(fcase =no) [1803] string-match:pop3-cmd-param:\x24\x02\x03\xee(fcase =no) [1804] string-match:pop3-cmd-param:\x24\x02\x03\xeb(fcase =no) [1805] string-match:pop3-cmd-param:\x03\xff\xff\xcc(fcase =no) [1806] string-match:pop3-cmd-param:\x02..\x0c(fcase =no) [1807] string-match:pop3-cmd-param:\x01\x01\x01\x0c(fcase =no) [1808] string-match:pop3-cmd-param:\x13\x74\xf0\x47(fcase =no) [1809] string-match:pop3-cmd-param:\x12\x74\xf0\x47(fcase =no) [1810] string-match:pop3-cmd-param:\x11\x74\xf0\x47(fcase =no) [1811] string-match:pop3-cmd-param:/bin/sh(fcase =no) [1812] string-match:pop3-cmd-param:\xff\xff\xff\xed\xff\x1f\xd2/bin(fcase =no) [1813] string-match:pop3-cmd-param:\xff\x7e\xb2\x13\x94\xe7\x43\x20\x35\x60\x42(fcase =no) [1814] string-match:pop3-cmd-param:h....X5....H..PP..PPa(fcase =no) [1815] string-match:pop3-cmd-param:\x80\x30.\x40\xe2\xfa(fcase =no) [1816] string-match:pop3-cmd-param:\xac\x34.\xaa\xe2\xfa(fcase =no) [1817] string-match:pop3-cmd-param:\x2C\x61\x90\x50\x59\x66\xAD\x90(fcase =no) [1818] string-match:pop3-cmd-param:\xac\x2c.\xaa\xe2\xf5(fcase =no) [1819] string-match:pop3-cmd-param:\x9a\xff\xff\xff\xff\x07\xff(fcase =no) [1820] string-match:pop3-cmd-param:\xaa\x10\x10\x10\x10\x17\x10(fcase =no) [1821] string-match:pop3-cmd-param:\x9a\x01\x02\x03\x5c\x07\x04(fcase =no) [1822] string-match:pop3-cmd-param:\x9a\x04\x04\x04\x04\x07\x04(fcase =no) [1823] string-match:pop3-cmd-param:\x9a\x24\x24\x24\x24\x07\x24(fcase =no) [1824] string-match:smtp-EXE-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1825] string-match:smtp-EXE-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1826] string-match:smtp-PIF-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1827] string-match:smtp-PIF-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1828] string-match:smtp-SCR-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1829] string-match:smtp-SCR-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1830] string-match:smtp-BAT-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1831] string-match:smtp-BAT-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1832] string-match:smtp-CMD-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1833] string-match:smtp-CMD-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1834] string-match:smtp-COM-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1835] string-match:smtp-COM-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1836] string-match:smtp-ZIP-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1837] string-match:smtp-ZIP-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1838] string-match:smtp-ZIP-message-body:xqZpmqbHyMnKy5qmaZrMzc7P(fcase =no) [1839] string-match:smtp-ZIP-message-body:0NE1TbNt0nM309TV1pfbZtkn(fcase =no) [1840] string-match:smtp-ZIP-message-body:pmmapsfIycrLmqZpmszNzs/Q(fcase =no) [1841] string-match:smtp-ZIP-message-body:0TVNs23SczfT1NXWl9tm2SfX(fcase =no) [1842] string-match:pop3-EXE-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1843] string-match:pop3-EXE-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1844] string-match:pop3-PIF-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1845] string-match:pop3-PIF-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1846] string-match:pop3-SCR-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1847] string-match:pop3-SCR-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1848] string-match:pop3-BAT-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1849] string-match:pop3-BAT-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1850] string-match:pop3-CMD-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1851] string-match:pop3-CMD-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1852] string-match:pop3-COM-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1853] string-match:pop3-COM-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1854] string-match:pop3-ZIP-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1855] string-match:pop3-ZIP-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1856] string-match:pop3-ZIP-message-body:xqZpmqbHyMnKy5qmaZrMzc7P(fcase =no) [1857] string-match:pop3-ZIP-message-body:0NE1TbNt0nM309TV1pfbZtkn(fcase =no) [1858] string-match:pop3-ZIP-message-body:pmmapsfIycrLmqZpmszNzs/Q(fcase =no) [1859] string-match:pop3-ZIP-message-body:0TVNs23SczfT1NXWl9tm2SfX(fcase =no) [1860] string-match:imap-EXE-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1861] string-match:imap-EXE-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1862] string-match:imap-PIF-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1863] string-match:imap-PIF-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1864] string-match:imap-SCR-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1865] string-match:imap-SCR-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1866] string-match:imap-BAT-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1867] string-match:imap-BAT-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1868] string-match:imap-CMD-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1869] string-match:imap-CMD-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1870] string-match:imap-COM-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1871] string-match:imap-COM-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1872] string-match:imap-ZIP-message-body:xcamaZqmx8jJysuapmmazM3O(fcase =no) [1873] string-match:imap-ZIP-message-body:z9DRNU2zbdJzN9PU1daX22bZ(fcase =no) [1874] string-match:imap-ZIP-message-body:xqZpmqbHyMnKy5qmaZrMzc7P(fcase =no) [1875] string-match:imap-ZIP-message-body:0NE1TbNt0nM309TV1pfbZtkn(fcase =no) [1876] string-match:imap-ZIP-message-body:pmmapsfIycrLmqZpmszNzs/Q(fcase =no) [1877] string-match:imap-ZIP-message-body:0TVNs23SczfT1NXWl9tm2SfX(fcase =no) [1878] string-match:mysql-req-init_db-payload:^LPT1$(fcase =yes) [1879] string-match:mysql-req-init_db-payload:^PRN$(fcase =yes) [1880] unsigned-gt:imap-list-cmd-param-length:0xffffffff:1024:no [1881] unsigned-gt:cvs-revision-length:0xffffffff:60:no [1882] unsigned-gt:netbios-ss-smb-rsp-param-session_setup_andx-securityblob-length:0xffffffff:0x8000:no [1883] numerical-eq:netbios-ss-error-code:0xffffffff:SESSION_SETUP_SECURITYBLOB_OVERFLOW:no [1884] string-match:http-req-uri-query-params:(vars|env|db)$(fcase =yes) [1885] string-match:http-req-uri-query-params:cat+/etc/passwd(fcase =yes) [1886] string-match:http-req-uri-path:cart\.(cgi|pl)(fcase =yes) [1887] unsigned-gt:smtp-helo-cmd-param-length:0xffffffff:170:no [1888] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:1095:no [1889] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:1097:no [1890] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:1098:no [1891] string-match:pktsearch-rsp-text:^B\.F\. Evolution RAT (fcase =no) [1892] string-match:pktsearch-trin00-a2m-req-text:betaalmostdone(fcase =no) [1893] unsigned-gt:ftp-pass-cmd-param-length:0xffffffff:800:no [1894] string-match:ftp-pass-cmd-param:\x90\x90\x31\xdb\x89(fcase =no) [1895] string-match:ftp-mkd-cmd-param:\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8\x88(fcase =no) [1896] unsigned-gt:ftp-mkd-cmd-param-length:0xffffffff:100:no [1897] string-match:ftp-mkd-cmd-param:\xcd\x80\x31\xc0\xb0\x17\xcd\x80(fcase =no) [1898] string-match:ftp-mkd-cmd-param:bin/sh(fcase =no) [1899] string-match:http-get-req-uri-path:nessus_is_probing_you_(fcase =no) [1900] string-match:pop3-list-cmd-param:\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89(fcase =no) [1901] string-match:pop3-list-cmd-param:/bin/sh(fcase =no) [1902] string-match:pop3-list-cmd-param:\x31\xdb\x31\xc9\xb0\x40\x83\xc0\x06\xcd\x80\xb0(fcase =no) [1903] string-match:pop3-list-cmd-param:\xff\xff/bin/sh\.\.\.\.\.\.(fcase =no) [1904] string-match:smtp-message-body:ey, dude, it's me \^(fcase =no) [1905] string-match:smtp-message-body:rgh, i don't l(fcase =no) [1906] string-match:smtp-message-body:I don't bite, w(fcase =no) [1907] string-match:smtp-message-body:Looking forward for a response :P(fcase =no) [1908] string-match:smtp-name-message-header:\.zip"(fcase =yes) [1909] string-match:telnet-client-environ-sb-param:\x0a\xf7\x02\x97(fcase =no) [1910] string-match:telnet-client-environ-sb-param:\x0b\x18\x02\x98(fcase =no) [1911] string-match:telnet-client-environ-sb-param:\x0b\x39\x02\x99(fcase =no) [1912] string-match:telnet-client-environ-sb-param:\x0b\x5a\x02\x9a(fcase =no) [1913] string-match:telnet-client-environ-sb-param:\x20\x20\x08\x01(fcase =no) [1914] string-match:telnet-client-environ-sb-param:\xe4\x20\xe0\x08(fcase =no) [1915] string-match:telnet-client-environ-sb-param:\x24\x02\x04\x53(fcase =no) [1916] string-match:telnet-client-environ-sb-param:\x24\x02\x03\xf3(fcase =no) [1917] string-match:telnet-client-environ-sb-param:\x24\x02\x04\x25(fcase =no) [1918] string-match:telnet-client-environ-sb-param:\x24\x02\x03\xee(fcase =no) [1919] string-match:telnet-client-environ-sb-param:\x24\x02\x03\xeb(fcase =no) [1920] string-match:telnet-client-environ-sb-param:\x03\xff\xff\xcc(fcase =no) [1921] string-match:telnet-client-environ-sb-param:\x02..\x0c(fcase =no) [1922] string-match:telnet-client-environ-sb-param:\x01\x01\x01\x0c(fcase =no) [1923] string-match:telnet-client-environ-sb-param:\x13\x74\xf0\x47(fcase =no) [1924] string-match:telnet-client-environ-sb-param:\x12\x74\xf0\x47(fcase =no) [1925] string-match:telnet-client-environ-sb-param:\x11\x74\xf0\x47(fcase =no) [1926] string-match:telnet-client-environ-sb-param:/bin/sh(fcase =no) [1927] string-match:telnet-client-environ-sb-param:\xff\xff\xff\xed\xff\x1f\xd2/bin(fcase =no) [1928] string-match:telnet-client-environ-sb-param:\xff\x7e\xb2\x13\x94\xe7\x43\x20\x35\x60\x42(fcase =no) [1929] string-match:telnet-client-environ-sb-param:h....X5....H..PP..PPa(fcase =no) [1930] string-match:telnet-client-environ-sb-param:-....-....-....PQX-....-....-....PQX(fcase =no) [1931] string-match:telnet-client-environ-sb-param:-....-....PQX-....-....PQX(fcase =no) [1932] string-match:telnet-client-environ-sb-param:\x80\x30.\x40\xe2\xfa(fcase =no) [1933] string-match:telnet-client-environ-sb-param:\xac\x34.\xaa\xe2\xfa(fcase =no) [1934] string-match:telnet-client-environ-sb-param:\x2C\x61\x90\x50\x59\x66\xAD\x90(fcase =no) [1935] string-match:telnet-client-environ-sb-param:\xac\x2c.\xaa\xe2\xf5(fcase =no) [1936] string-match:telnet-client-environ-sb-param:\x9a\xff\xff\xff\xff\x07\xff(fcase =no) [1937] string-match:telnet-client-environ-sb-param:\xaa\x10\x10\x10\x10\x17\x10(fcase =no) [1938] string-match:telnet-client-environ-sb-param:\x9a\x01\x02\x03\x5c\x07\x04(fcase =no) [1939] string-match:telnet-client-environ-sb-param:\x9a\x04\x04\x04\x04\x07\x04(fcase =no) [1940] string-match:telnet-client-environ-sb-param:\x9a\x24\x24\x24\x24\x07\x24(fcase =no) [1941] string-match:smtp-cmd-param:\x0a\xf7\x02\x97(fcase =no) [1942] string-match:smtp-cmd-param:\x0b\x18\x02\x98(fcase =no) [1943] string-match:smtp-cmd-param:\x0b\x39\x02\x99(fcase =no) [1944] string-match:smtp-cmd-param:\x0b\x5a\x02\x9a(fcase =no) [1945] string-match:smtp-cmd-param:\x20\x20\x08\x01(fcase =no) [1946] string-match:smtp-cmd-param:\xe4\x20\xe0\x08(fcase =no) [1947] string-match:smtp-cmd-param:\x24\x02\x04\x53(fcase =no) [1948] string-match:smtp-cmd-param:\x24\x02\x03\xf3(fcase =no) [1949] string-match:smtp-cmd-param:\x24\x02\x04\x25(fcase =no) [1950] string-match:smtp-cmd-param:\x24\x02\x03\xee(fcase =no) [1951] string-match:smtp-cmd-param:\x24\x02\x03\xeb(fcase =no) [1952] string-match:smtp-cmd-param:\x03\xff\xff\xcc(fcase =no) [1953] string-match:smtp-cmd-param:\x02..\x0c(fcase =no) [1954] string-match:smtp-cmd-param:\x01\x01\x01\x0c(fcase =no) [1955] string-match:smtp-cmd-param:\x13\x74\xf0\x47(fcase =no) [1956] string-match:smtp-cmd-param:\x12\x74\xf0\x47(fcase =no) [1957] string-match:smtp-cmd-param:\x11\x74\xf0\x47(fcase =no) [1958] string-match:smtp-cmd-param:/bin/sh(fcase =no) [1959] string-match:smtp-cmd-param:\xff\xff\xff\xed\xff\x1f\xd2/bin(fcase =no) [1960] string-match:smtp-cmd-param:\xff\x7e\xb2\x13\x94\xe7\x43\x20\x35\x60\x42(fcase =no) [1961] string-match:smtp-cmd-param:h....X5....H..PP..PPa(fcase =no) [1962] string-match:smtp-cmd-param:\x80\x30.\x40\xe2\xfa(fcase =no) [1963] string-match:smtp-cmd-param:\xac\x34.\xaa\xe2\xfa(fcase =no) [1964] string-match:smtp-cmd-param:\x2C\x61\x90\x50\x59\x66\xAD\x90(fcase =no) [1965] string-match:smtp-cmd-param:\xac\x2c.\xaa\xe2\xf5(fcase =no) [1966] string-match:smtp-cmd-param:\x9a\xff\xff\xff\xff\x07\xff(fcase =no) [1967] string-match:smtp-cmd-param:\xaa\x10\x10\x10\x10\x17\x10(fcase =no) [1968] string-match:smtp-cmd-param:\x9a\x01\x02\x03\x5c\x07\x04(fcase =no) [1969] string-match:smtp-cmd-param:\x9a\x04\x04\x04\x04\x07\x04(fcase =no) [1970] string-match:smtp-cmd-param:\x9a\x24\x24\x24\x24\x07\x24(fcase =no) [1971] string-match:http-req-uri-path:(nhtml|nphpd|nfunc)\.php(fcase =yes) [1972] string-match:http-req-uri-query-params:<~>(fcase =yes) [1973] unsigned-gt:rpc-call-data-len:0xffffffff:800:no [1974] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:1850:no [1975] string-match:pktsearch-rsp-text:Connected to host \((fcase =no) [1976] string-match:http-req-uri-path:\.asp%2e(fcase =yes) [1977] unsigned-in-range:pktsearch-tcp-dst-port:0xffffffff:7777:7778::no [1978] unsigned-gt:pktsearch-http-discovery-req-len:0xffffffff:432:no [1979] string-match:http-req-uri-path:(\\|/)apexec\.pl$(fcase =no) [1980] string-match:http-req-query-params:template(fcase =no) [1981] string-match:http-req-query-param-value:\.\.(/|\\)(fcase =no) [1982] unsigned-gt:pop3-retr-cmd-param-length:0xffffffff:9:no [1983] unsigned-lt:pop3-retr-cmd-param-length:0xffffffff:20:no [1984] numerical-eq:icmp-destination-unreachable-code:0xffffffff:3:no [1985] numerical-eq:icmp-destination-unreachable-src-port:0xffffffff:49:no [1986] numerical-eq:icmp-destination-unreachable-dst-port:0xffffffff:49:no [1987] string-match:smtp-COM-message-body:EDPLOc/DfQcKhPB1jUkm/BYR(fcase =no) [1988] string-match:smtp-COM-message-body:BYJoKFXpNM0UO0eMkQ+FaWW4(fcase =no) [1989] string-match:pop3-COM-message-body:EDPLOc/DfQcKhPB1jUkm/BYR(fcase =no) [1990] string-match:pop3-COM-message-body:BYJoKFXpNM0UO0eMkQ+FaWW4(fcase =no) [1991] string-match:imap-COM-message-body:EDPLOc/DfQcKhPB1jUkm/BYR(fcase =no) [1992] string-match:imap-COM-message-body:BYJoKFXpNM0UO0eMkQ+FaWW4(fcase =no) [1993] string-match:http-req-uri-path:/servlet/(fcase =yes) [1994] string-match:http-req-uri-path:/UploadServlet(fcase =yes) [1995] numerical-eq:telnet-invalid-client:0xffffffff:1:no [1996] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:200:no [1997] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:201:no [1998] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:202:no [1999] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:401:no [2000] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:402:no [2001] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:211:no [2002] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:212:no [2003] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:299:no [2004] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:1001:no [2005] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:56565:no [2006] string-match:pktsearch-rsp-text:^OK (fcase =no) [2007] unsigned-gt:imap-login-cmd-param-length:0xffffffff:1024:no [2008] numerical-eq:smtp-error-code:0xffffffff:X-LINK2STATE-CHUNK-OVERFLOW:no [2009] string-match:http-req-uri-path:/htgrep(fcase =yes) [2010] string-match:http-req-uri:hdr=/(fcase =yes) [2011] string-match:http-req-uri:qry=/(fcase =yes) [2012] numerical-eq:rpc-call-procedure:0xffffffff:103:no [2013] string-match:pktsearch-req-text:\x2a\x02....\x00\x04\x00\x06\x00\x00(fcase =no) [2014] string-match:pktsearch-req-text:aim:AddExternalApp\?(fcase =no) [2015] string-match:pktsearch-req-text:\x27\x12..0x00\x00\x02\x00\x05\x07\x4c\x7f\x11\xd1\x82\x22\x44\x45\x53\x54\x00\x00\x00\x0b\x00\x09(fcase =no) [2016] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00c\x00m\x00d\x00s\x00h\x00e\x00l\x00l\x00(fcase =yes) [2017] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00c\x00m\x00d\x00s\x00h\x00e\x00l\x00l\x00(fcase =yes) [2018] unsigned-gt:sip-req-invite-uri-len:0xffffffff:512:no [2019] unsigned-gt:sip-req-uri-len:0xffffffff:1024:no [2020] unsigned-gt:sip-req-uri-len:0xffffffff:512:no [2021] string-match:sip-req-invite-uri-text:(%|\x2E|-|\x30#F0)\x30#F0\x30#F0[ndoxucsefg]%(fcase =no) [2022] string-match:sip-req-invite-uri-text:\x30#F0\x30#F0(\$n|\$hn)%(fcase =no) [2023] string-match:sip-req-invite-uri-text:%\x40#E0%\x40#E0%\x40#E0%[ndoxucsefg]%(fcase =no) [2024] string-match:sip-req-uri-text:(%|\x2E|-|\x30#F0)\x30#F0\x30#F0[ndoxucsefg]%(fcase =no) [2025] string-match:sip-req-uri-text:\x30#F0\x30#F0(\$n|\$hn)%(fcase =no) [2026] string-match:sip-req-uri-text:%\x40#E0%\x40#E0%\x40#E0%[ndoxucsefg]%(fcase =no) [2027] string-match:http-req-uri-path:search(fcase =yes) [2028] string-match:http-req-uri-query-param-name:NS-query-pat(fcase =yes) [2029] string-match:http-req-uri-query-param-value:\.\.(\\|/)\.\.(fcase =no) [2030] unsigned-gt:http-post-req-content-length:0xffffffff:4353:no [2031] string-match:pktsearch-req-text:User-Agent: PHEX(fcase =yes) [2032] string-match:http-get-req-user-agent-header:PHEX(fcase =yes) [2033] numerical-eq:pktsearch-udp-dst-port:0xffffffff:1:no [2034] string-match:pktsearch-req-text:^/udp/ connect (fcase =no) [2035] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:30303:no [2036] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:50505:no [2037] string-match:pktsearch-req-text:^\x2f\x2f\x20(fcase =no) [2038] string-match:pktsearch-trin00-d2m-req-text:*HELLO*(fcase =no) [2039] string-match:http-req-uri-path:read\.php3$(fcase =no) [2040] string-match:http-req-uri-query-param-name:sSQL(fcase =no) [2041] string-match:http-req-uri-query-param-value:(CREAT|INSERT|DROP)(fcase =no) [2042] string-match:smtp-SCR-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2043] string-match:smtp-SCR-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2044] string-match:smtp-PIF-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2045] string-match:smtp-PIF-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2046] string-match:smtp-CMD-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2047] string-match:smtp-CMD-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2048] string-match:smtp-EXE-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2049] string-match:smtp-EXE-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2050] string-match:smtp-BAT-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2051] string-match:smtp-BAT-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2052] string-match:pop3-SCR-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2053] string-match:pop3-SCR-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2054] string-match:pop3-PIF-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2055] string-match:pop3-PIF-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2056] string-match:pop3-CMD-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2057] string-match:pop3-CMD-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2058] string-match:pop3-EXE-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2059] string-match:pop3-EXE-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2060] string-match:pop3-BAT-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2061] string-match:pop3-BAT-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2062] string-match:imap-SCR-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2063] string-match:imap-SCR-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2064] string-match:imap-PIF-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2065] string-match:imap-PIF-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2066] string-match:imap-CMD-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2067] string-match:imap-CMD-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2068] string-match:imap-EXE-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2069] string-match:imap-EXE-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2070] string-match:imap-BAT-message-body:IpIACgooc3luYy0xLv3/b/8w(fcase =no) [2071] string-match:imap-BAT-message-body:MTsgYW5keQVJJ20ganVzdCBk(fcase =no) [2072] string-match:smtp-ZIP-message-body:P/njAHIAAABy(fcase =no) [2073] string-match:pop3-ZIP-message-body:P/njAHIAAABy(fcase =no) [2074] string-match:imap-ZIP-message-body:P/njAHIAAABy(fcase =no) [2075] string-match:pktsearch-rsp-text:^MSG00020(fcase =no) [2076] string-match:pktsearch-rsp-text:The Phoenix is ready(fcase =no) [2077] string-match:pktsearch-rsp-text:Phoenix II - Server(fcase =no) [2078] string-match:finger-client-data-text:^\.(\r|\r\n)?(fcase =no) [2079] string-match:finger-client-data-text:^0(\r|\r\n)?(fcase =no) [2080] numerical-eq:pktsearch-rsp-pktlen:0xffffffff:1:no [2081] string-match:pktsearch-req-text:^GET(fcase =no) [2082] string-match:pktsearch-req-text:^SEND(fcase =no) [2083] string-match:pktsearch-rsp-text:^Crazzynet(fcase =no) [2084] string-match:http-req-uri-path:viewsource/template.html?[\t ](fcase =no) [2085] string-match:snmp-request-community-string-field:public(fcase =yes) [2086] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)LD_PRELOAD(\x00|\x01)\x2f(fcase =no) [2087] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)LD_LIBRARY_PATH(\x00|\x01)\x2f(fcase =no) [2088] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)LD_AOUT_LIBRARY_PATH(\x00|\x01)\x2f(fcase =no) [2089] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)ELF_LD_LIBRARY_PATH(\x00|\x01)\x2f(fcase =no) [2090] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)_RLD_(\x00|\x01)\x2f(fcase =no) [2091] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)LIBPATH(\x00|\x01)\x2f(fcase =no) [2092] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)IFS(\x00|\x01)\x2f(fcase =no) [2093] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)LD_PRELOAD(fcase =no) [2094] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)LD_LIBRARY_PATH(fcase =no) [2095] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)LD_AOUT_LIBRARY_PATH(fcase =no) [2096] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)ELF_LD_LIBRARY_PATH(fcase =no) [2097] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)_RLD_(fcase =no) [2098] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)LIBPATH(fcase =no) [2099] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)IFS(fcase =no) [2100] string-match:telnet-client-environ-sb-param:[0-9][dxuioc]%(fcase =no) [2101] string-match:telnet-client-environ-sb-param:%(n|hn)%(fcase =no) [2102] string-match:telnet-client-environ-sb-param:%[1-9]$(n|hn)%(fcase =no) [2103] string-match:telnet-client-environ-sb-param:%1[1-9]$(n|hn)%(fcase =no) [2104] unsigned-gt:smtp-from-blace-counter:0xffffffff:20:no [2105] string-match:smtp-from-message-header:<><><><><><>(fcase =no) [2106] unsigned-gt:smtp-from-message-header-length:0xffffffff:256:no [2107] unsigned-gt:smtp-to-message-header-length:0xffffffff:256:no [2108] string-match:smtp-to-message-header:<><><><><><>(fcase =no) [2109] unsigned-gt:smtp-cc-message-header-length:0xffffffff:256:no [2110] string-match:smtp-cc-message-header:<><><><><><>(fcase =no) [2111] unsigned-gt:smtp-resent-sender-blace-counter:0xffffffff:20:no [2112] string-match:smtp-resent-sender-message-header:<><><><><><>(fcase =no) [2113] unsigned-gt:smtp-resent-sender-message-header-length:0xffffffff:256:no [2114] unsigned-gt:smtp-resent-from-blace-counter:0xffffffff:20:no [2115] string-match:smtp-resent-from-message-header:<><><><><><>(fcase =no) [2116] unsigned-gt:smtp-resent-from-message-header-length:0xffffffff:256:no [2117] unsigned-gt:smtp-reply-to-blace-counter:0xffffffff:20:no [2118] string-match:smtp-reply-to-message-header:<><><><><><>(fcase =no) [2119] unsigned-gt:smtp-reply-to-message-header-length:0xffffffff:256:no [2120] unsigned-gt:smtp-resent-reply-to-blace-counter:0xffffffff:20:no [2121] string-match:smtp-resent-reply-to-message-header:<><><><><><>(fcase =no) [2122] unsigned-gt:smtp-resent-reply-to-message-header-length:0xffffffff:256:no [2123] unsigned-gt:smtp-sender-blace-counter:0xffffffff:20:no [2124] string-match:smtp-sender-message-header:<><><><><><>(fcase =no) [2125] unsigned-gt:smtp-sender-message-header-length:0xffffffff:256:no [2126] unsigned-gt:smtp-errors-to-blace-counter:0xffffffff:20:no [2127] string-match:smtp-errors-to-message-header:<><><><><><>(fcase =no) [2128] unsigned-gt:smtp-errors-to-message-header-length:0xffffffff:256:no [2129] unsigned-gt:smtp-helo-cmd-param-length:0xffffffff:1200:no [2130] string-match:smtp-helo-cmd-param:_safebomb__safe(fcase =no) [2131] string-match:http-req-uri-path:(/|\\)AuthFiles(/|\\)(fcase =yes) [2132] string-match:http-req-uri-path:(/|\\)Login\.asp(fcase =yes) [2133] unsigned-gt:http-req-uri-query-params-length:0xffffffff:512:no [2134] numerical-eq:dns-hdr-id:0xffffffff:0x5641:no [2135] string-match:dns-request-qname:\x07\x2d\x37\x33\x35\x30(fcase =no) [2136] numerical-eq:dns-request-question-type:0xffffffff:0x9090:no [2137] numerical-eq:dns-request-question-class:0xffffffff:0x9090:no [2138] string-match:dns-request-qname:\xeb\xfe\x0a\x90(fcase =no) [2139] unsigned-gt:imap-continue-cmd-param-length:0xffffffff:0x80000000:no [2140] string-match:http-req-uri:/etc/(fcase =no) [2141] string-match:http-req-uri:/(passwd|shadow)(fcase =no) [2142] string-match:http-req-uri:\.pwl( |\x26)(fcase =yes) [2143] numerical-eq:upnp-protocol:0xffffffff:1900:no [2144] unsigned-gt:upnp-req-webdav-notify-uri-len:0xffffffff:256:no [2145] unsigned-gt:upnp-req-webdav-search-uri-len:0xffffffff:256:no [2146] unsigned-gt:upnp-req-header-len:0xffffffff:256:no [2147] string-match:pktsearch-req-text:^\{C:\\(fcase =no) [2148] string-match:pktsearch-rsp-text:^\{C:\\(fcase =no) [2149] string-match:pktsearch-req-text:UserAgent: KazaaClient(fcase =yes) [2150] string-match:pktsearch-req-text:UserAgent: Grokster(fcase =yes) [2151] string-match:pktsearch-req-text:UserAgent: fileshare(fcase =yes) [2152] string-match:pktsearch-req-text:UserAgent: MusicCity(fcase =yes) [2153] numerical-eq:pktsearch-http-counter:0xffffffff:1:no [2154] string-match:http-req-user-agent-header:KazaaClient(fcase =yes) [2155] string-match:http-req-user-agent-header:Grokster(fcase =yes) [2156] string-match:http-req-user-agent-header:fileshare(fcase =yes) [2157] string-match:http-req-user-agent-header:MusicCity(fcase =yes) [2158] string-match-ap:req-content-text:\nX-Kazaa-Network:(fcase =no) [2159] string-match-ap:rsp-content-text:\nX-Kazaa-Network:(fcase =no) [2160] unsigned-gt:rexec-client-handshake-password-text-length:0xffffffff:128:no [2161] unsigned-gt:rexec-password-client-login-length:0xffffffff:128:no [2162] string-match:snmp-get-varbind-object-id-field:^\x2b\x06\x01\x04\x01\x86\x76\x01\x01\x01(fcase =no) [2163] string-match:snmp-get-next-varbind-object-id-field:^\x2b\x06\x01\x04\x01\x86\x76\x01\x01\x01(fcase =no) [2164] string-match:snmp-set-varbind-object-id-field:^\x2b\x06\x01\x04\x01\x86\x76\x01\x01\x01(fcase =no) [2165] string-match:snmp-v2-bulk-varbind-object-id-field:^\x2b\x06\x01\x04\x01\x86\x76\x01\x01\x01(fcase =no) [2166] numerical-eq:netbios-ss-dcerpc-req-LSARPC-request-op-num:0xffffffff:0:no [2167] unsigned-gt:netbios-ss-dcerpc-req-LSARPC-request-frag-length:0xffffffff:700:no [2168] string-match:http-req-uri-path:\.htaccess(fcase =yes) [2169] string-match:http-req-uri-path:DCShop/(fcase =yes) [2170] string-match:http-req-uri-path:orders\.txt(fcase =yes) [2171] string-match:http-req-uri-path:auth_user_file\.txt(fcase =yes) [2172] string-match:http-req-uri-path:/\.history$(fcase =no) [2173] string-match:pktsearch-shaft-a2h-req-text:alive(fcase =no) [2174] string-match:smtp-PIF-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2175] string-match:smtp-PIF-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2176] string-match:smtp-EXE-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2177] string-match:smtp-EXE-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2178] string-match:smtp-SCR-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2179] string-match:smtp-SCR-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2180] string-match:smtp-BAT-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2181] string-match:smtp-BAT-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2182] string-match:smtp-CMD-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2183] string-match:smtp-CMD-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2184] string-match:pop3-PIF-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2185] string-match:pop3-PIF-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2186] string-match:pop3-EXE-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2187] string-match:pop3-EXE-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2188] string-match:pop3-SCR-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2189] string-match:pop3-SCR-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2190] string-match:pop3-BAT-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2191] string-match:pop3-BAT-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2192] string-match:pop3-CMD-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2193] string-match:pop3-CMD-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2194] string-match:imap-PIF-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2195] string-match:imap-PIF-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2196] string-match:imap-EXE-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2197] string-match:imap-EXE-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2198] string-match:imap-SCR-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2199] string-match:imap-SCR-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2200] string-match:imap-BAT-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2201] string-match:imap-BAT-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2202] string-match:imap-CMD-message-body:fpOqxea9Mfh/azyyu+JlDGmL(fcase =no) [2203] string-match:imap-CMD-message-body:F8KD3c5+ar8O8y7029Qxw7f1(fcase =no) [2204] unsigned-gt:dhcp-req-cf-hostname-length:0xffffffff:764:no [2205] unsigned-gt:imap-create-cmd-param-length:0xffffffff:1024:no [2206] numerical-eq:radius-access-request-length:0xffffffff:1024:no [2207] numerical-eq:radius-access-request-length:0xffffffff:2048:no [2208] numerical-eq:radius-access-request-length:0xffffffff:4096:no [2209] numerical-eq:radius-access-request-length:0xffffffff:8192:no [2210] numerical-eq:radius-access-request-attr-counter:0xffffffff:500:no [2211] string-match:pktsearch-req-text:\x13\x74\xf0\x47(fcase =no) [2212] string-match:pktsearch-req-text:\x12\x74\xf0\x47(fcase =no) [2213] string-match:pktsearch-req-text:\x11\x74\xf0\x47(fcase =no) [2214] string-match:pktsearch-req-text:/bin/sh(fcase =no) [2215] string-match:pktsearch-req-text:\xff\xff\xff\xed\xff\x1f\xd2/bin(fcase =no) [2216] string-match:pktsearch-req-text:\xff\x7e\xb2\x13\x94\xe7\x43\x20\x35\x60\x42(fcase =no) [2217] string-match:smtp-subject-message-header:mail(fcase =no) [2218] string-match:smtp-name-message-header:masteraz\.exe(fcase =yes) [2219] string-match:smtp-subject-message-header:Improve your Credit(fcase =yes) [2220] string-match:smtp-name-message-header:jimkre\.exe(fcase =yes) [2221] string-match:http-post-req-uri-path:/sendeditfile(fcase =yes) [2222] string-match:http-req-cookie-header:login=0(fcase =yes) [2223] string-match:http-req-uri-path:/runfile=(fcase =yes) [2224] string-match:pktsearch-rsp-text:^ver:Ghost version .\.. server(fcase =no) [2225] unsigned-gt:dcerpc-dcom-meow-custom-size:0xffffffff:0xffff:no [2226] string-match:rpc-call-data:\xb0\x06\x89\x46\x08\xb0\x66\x8d\x0e\xcd\x80\x89\x06\x8d\x4e\x0c\x89\x4e\x04\x31\xc0\x89\x46\x10\x89\x46\x14\xb0(fcase =no) [2227] string-match:pktsearch-req-text:\xb0\x06\x89\x46\x08\xb0\x66\x8d\x0e\xcd\x80\x89\x06\x8d\x4e\x0c\x89\x4e\x04\x31\xc0\x89\x46\x10\x89\x46\x14\xb0(fcase =no) [2228] string-match:http-req-uri-path:tarantella(\\|/)(fcase =yes) [2229] string-match:http-req-uri-path:ttawebtop.cgi(\\|/)$(fcase =yes) [2230] string-match:http-req-uri-query-param-name:action(fcase =yes) [2231] string-match:http-req-uri-query-param-value:start(fcase =yes) [2232] string-match:http-req-uri-query-param-name:pg(fcase =yes) [2233] string-match:http-post-req-uri-path:(\\|/)webgais(fcase =no) [2234] string-match:http-post-req-message-body:query(fcase =no) [2235] string-match:http-post-req-message-body:output(fcase =no) [2236] string-match:http-post-req-message-body:subject(fcase =no) [2237] string-match:http-post-req-message-body:domain(fcase =no) [2238] string-match:http-post-req-message-body:paragraph(fcase =no) [2239] unsigned-gt:rsh-username-client-login-length:0xffffffff:128:no [2240] unsigned-gt:rsh-client-handshake-serveruser-text-length:0xffffffff:128:no [2241] unsigned-gt:pop3-list-cmd-param-length:0xffffffff:200:no [2242] string-match:smtp-CPL-message-body:RT0pxgN9h6MbugyS9M+xvArY(fcase =no) [2243] string-match:smtp-CPL-message-body:APOKVKihCTZLqLJrVFYn489L(fcase =no) [2244] string-match:smtp-EXE-message-body:GrPRg958gOhzA9rbOFrg8mUw(fcase =no) [2245] string-match:smtp-EXE-message-body:xfVnkPZ/1cMc+zKHwT9ii5A+(fcase =no) [2246] string-match:smtp-SCR-message-body:GrPRg958gOhzA9rbOFrg8mUw(fcase =no) [2247] string-match:smtp-SCR-message-body:xfVnkPZ/1cMc+zKHwT9ii5A+(fcase =no) [2248] string-match:smtp-COM-message-body:GrPRg958gOhzA9rbOFrg8mUw(fcase =no) [2249] string-match:smtp-COM-message-body:xfVnkPZ/1cMc+zKHwT9ii5A+(fcase =no) [2250] string-match:imap-CPL-message-body:RT0pxgN9h6MbugyS9M+xvArY(fcase =no) [2251] string-match:imap-CPL-message-body:APOKVKihCTZLqLJrVFYn489L(fcase =no) [2252] string-match:imap-EXE-message-body:GrPRg958gOhzA9rbOFrg8mUw(fcase =no) [2253] string-match:imap-EXE-message-body:xfVnkPZ/1cMc+zKHwT9ii5A+(fcase =no) [2254] string-match:imap-SCR-message-body:GrPRg958gOhzA9rbOFrg8mUw(fcase =no) [2255] string-match:imap-SCR-message-body:xfVnkPZ/1cMc+zKHwT9ii5A+(fcase =no) [2256] string-match:imap-COM-message-body:GrPRg958gOhzA9rbOFrg8mUw(fcase =no) [2257] string-match:imap-COM-message-body:xfVnkPZ/1cMc+zKHwT9ii5A+(fcase =no) [2258] string-match:pop3-CPL-message-body:RT0pxgN9h6MbugyS9M+xvArY(fcase =no) [2259] string-match:pop3-CPL-message-body:APOKVKihCTZLqLJrVFYn489L(fcase =no) [2260] string-match:pop3-EXE-message-body:GrPRg958gOhzA9rbOFrg8mUw(fcase =no) [2261] string-match:pop3-EXE-message-body:xfVnkPZ/1cMc+zKHwT9ii5A+(fcase =no) [2262] string-match:pop3-SCR-message-body:GrPRg958gOhzA9rbOFrg8mUw(fcase =no) [2263] string-match:pop3-SCR-message-body:xfVnkPZ/1cMc+zKHwT9ii5A+(fcase =no) [2264] string-match:pop3-COM-message-body:GrPRg958gOhzA9rbOFrg8mUw(fcase =no) [2265] string-match:pop3-COM-message-body:xfVnkPZ/1cMc+zKHwT9ii5A+(fcase =no) [2266] unsigned-gt:imap-search-cmd-param-length:0xffffffff:1024:no [2267] string-match:http-req-uri-path:PDG_Cart(/|\\)shopper\.conf(fcase =yes) [2268] string-match:http-req-uri-path:PDG_Cart(/|\\)order\.log(fcase =yes) [2269] string-match:pktsearch-req-text:^Test Server(fcase =no) [2270] string-match:pktsearch-rsp-text:^Server is online(fcase =no) [2271] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:4488:no [2272] string-match:ftp-pass-cmd-param:wh00t(fcase =no) [2273] string-match:pop3-invalid-cmd-text:\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa(fcase =no) [2274] string-match:pop3-invalid-cmd-text:\xff\xff/bin/sh\.\.\.\.\.\.\.\.\.(fcase =no) [2275] string-match:smtp-EXE-message-body:aKJto29hAHEAqqGLm3hzAHS/(fcase =no) [2276] string-match:smtp-EXE-message-body:dgB3bXmwugttVWNfqgAw+zLX(fcase =no) [2277] string-match:smtp-ZIP-message-body:aKJto29hAHEAqqGLm3hzAHS/(fcase =no) [2278] string-match:smtp-ZIP-message-body:dgB3bXmwugttVWNfqgAw+zLX(fcase =no) [2279] string-match:smtp-ZIP-message-body:om2jb2EAcQCqoYubeHMAdL92(fcase =no) [2280] string-match:smtp-ZIP-message-body:AHdtebC6C21VY1+qADD7Mtf0(fcase =no) [2281] string-match:smtp-ZIP-message-body:baNvYQBxAKqhi5t4cwB0v3YA(fcase =no) [2282] string-match:smtp-ZIP-message-body:d215sLoLbVVjX6oAMPsy1/Rb(fcase =no) [2283] string-match:pop3-EXE-message-body:aKJto29hAHEAqqGLm3hzAHS/(fcase =no) [2284] string-match:pop3-EXE-message-body:dgB3bXmwugttVWNfqgAw+zLX(fcase =no) [2285] string-match:pop3-ZIP-message-body:aKJto29hAHEAqqGLm3hzAHS/(fcase =no) [2286] string-match:pop3-ZIP-message-body:dgB3bXmwugttVWNfqgAw+zLX(fcase =no) [2287] string-match:pop3-ZIP-message-body:om2jb2EAcQCqoYubeHMAdL92(fcase =no) [2288] string-match:pop3-ZIP-message-body:AHdtebC6C21VY1+qADD7Mtf0(fcase =no) [2289] string-match:pop3-ZIP-message-body:baNvYQBxAKqhi5t4cwB0v3YA(fcase =no) [2290] string-match:pop3-ZIP-message-body:d215sLoLbVVjX6oAMPsy1/Rb(fcase =no) [2291] string-match:imap-EXE-message-body:aKJto29hAHEAqqGLm3hzAHS/(fcase =no) [2292] string-match:imap-EXE-message-body:dgB3bXmwugttVWNfqgAw+zLX(fcase =no) [2293] string-match:imap-ZIP-message-body:aKJto29hAHEAqqGLm3hzAHS/(fcase =no) [2294] string-match:imap-ZIP-message-body:dgB3bXmwugttVWNfqgAw+zLX(fcase =no) [2295] string-match:imap-ZIP-message-body:om2jb2EAcQCqoYubeHMAdL92(fcase =no) [2296] string-match:imap-ZIP-message-body:AHdtebC6C21VY1+qADD7Mtf0(fcase =no) [2297] string-match:imap-ZIP-message-body:baNvYQBxAKqhi5t4cwB0v3YA(fcase =no) [2298] string-match:imap-ZIP-message-body:d215sLoLbVVjX6oAMPsy1/Rb(fcase =no) [2299] string-match:tftp-filename:\.\.(\\|/)(fcase =yes) [2300] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:31745:no [2301] numerical-eq:pktsearch-req-1st-4b:0xFFFFFF00:0x76657200:no [2302] string-match:pktsearch-rsp-text:\*VERBuHa 1\.0\r\n(fcase =no) [2303] string-match:pktsearch-rsp-text:\*VERBuHa 1\.21\r\n(fcase =no) [2304] string-match:pktsearch-rsp-text:\*VERBuHa 1\.22\r\n(fcase =no) [2305] string-match:pktsearch-rsp-text:\*VERBuHa TNG 1\.22\r\n(fcase =no) [2306] unsigned-gt:http-req-authorization-header-length:0xffffffff:800:no [2307] string-match:http-req-authorization-header:Basic (fcase =yes) [2308] string-match:http-req-uri-path:/campas$(fcase =no) [2309] string-match:http-req-uri-query-params:^%0(A|a)(fcase =no) [2310] string-match:pop3-user-cmd-param:\x90\x90\x40\x40\x40(fcase =no) [2311] string-match:pop3-user-cmd-param:\xeb\x4b\x5b\x53\x32\xe4\x83\xc3(fcase =no) [2312] string-match:pop3-user-cmd-param:\x33\xc0\x50\xff\xd7\xe8\xb0\xff\xff\xffmsvcrt\.dll\.system\.exit\.(fcase =no) [2313] string-match:smtp-PIF-message-body:60Ox67g0ilzCkCELUY1H/wys(fcase =no) [2314] string-match:smtp-PIF-message-body:OVrHBQaDPWSAwIUBfg5qVwSQ(fcase =no) [2315] string-match:pop3-PIF-message-body:60Ox67g0ilzCkCELUY1H/wys(fcase =no) [2316] string-match:pop3-PIF-message-body:OVrHBQaDPWSAwIUBfg5qVwSQ(fcase =no) [2317] string-match:imap-PIF-message-body:60Ox67g0ilzCkCELUY1H/wys(fcase =no) [2318] string-match:imap-PIF-message-body:OVrHBQaDPWSAwIUBfg5qVwSQ(fcase =no) [2319] unsigned-gt:imap-select-cmd-param-length:0xffffffff:250:no [2320] string-match:lpr-unsupport-cmd-buffer:\xe8.\xff\xff(fcase =no) [2321] string-match:lpr-unsupport-cmd-buffer:\x90{12}(fcase =no) [2322] string-match:lpr-unsupport-cmd-buffer:\x9a....\x07(fcase =no) [2323] string-match:lpr-unsupport-cmd-buffer:\xcd\x80(fcase =no) [2324] unsigned-gt:smtp-vrfy-cmd-param-length:0xffffffff:512:no [2325] string-match:http-req-uri-path:SQLQHit\.asp(fcase =yes) [2326] string-match:http-req-uri-query-params:CiScope=(webinfo|fileinfo|extended_fileinfo|extended_webinfo)(fcase =yes) [2327] string-match:pktsearch-req-text:aim:AddGame\?(fcase =no) [2328] string-match:pktsearch-req-text:\x27\x11..0x00\x00\x02\x00\x05\x07\x4c\x7f\x11\xd1\x82\x22\x44\x45\x53\x54\x00\x00\x00\x0b\x00\x09(fcase =no) [2329] unsigned-gt:ftp-iac-cmd-counter:0xffffffff:0:no [2330] string-match:ftp-invalid-cmd-text:CWD ~root(fcase =yes) [2331] string-match:ftp-cwd-cmd-param:~root(fcase =no) [2332] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:7597:no [2333] numerical-eq:pktsearch-rsp-1st-4b:0xFF000000:0x3A000000:no [2334] unsigned-gt:netbios-ss-smb-open-bytecount:0xffffffff:2048:no [2335] string-match:netbios-ss-smb-open-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2336] unsigned-gt:netbios-ss-smb-create-bytecount:0xffffffff:2048:no [2337] string-match:netbios-ss-smb-create-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2338] unsigned-gt:netbios-ss-smb-delete-bytecount:0xffffffff:2048:no [2339] string-match:netbios-ss-smb-delete-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2340] unsigned-gt:netbios-ss-smb-rename-bytecount:0xffffffff:2048:no [2341] string-match:netbios-ss-smb-rename-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2342] unsigned-gt:netbios-ss-smb-query_information-bytecount:0xffffffff:2048:no [2343] string-match:netbios-ss-smb-query_information-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2344] unsigned-gt:netbios-ss-smb-set_information-bytecount:0xffffffff:2048:no [2345] string-match:netbios-ss-smb-set_information-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2346] unsigned-gt:netbios-ss-smb-create_new-bytecount:0xffffffff:2048:no [2347] string-match:netbios-ss-smb-create_new-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2348] unsigned-gt:netbios-ss-smb-copy-bytecount:0xffffffff:2048:no [2349] string-match:netbios-ss-smb-copy-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2350] unsigned-gt:netbios-ss-smb-move-bytecount:0xffffffff:2048:no [2351] string-match:netbios-ss-smb-move-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2352] unsigned-gt:netbios-ss-smb-open_andx-bytecount:0xffffffff:2048:no [2353] string-match:netbios-ss-smb-open_andx-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2354] unsigned-gt:netbios-ss-smb-find-bytecount:0xffffffff:2048:no [2355] string-match:netbios-ss-smb-find-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2356] unsigned-gt:netbios-ss-smb-find_unique-bytecount:0xffffffff:2048:no [2357] string-match:netbios-ss-smb-find_unique-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2358] unsigned-gt:netbios-ss-smb-find_close-bytecount:0xffffffff:2048:no [2359] string-match:netbios-ss-smb-find_close-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2360] unsigned-gt:netbios-ss-smb-nt_create_andx-bytecount:0xffffffff:2048:no [2361] string-match:netbios-ss-smb-nt_create_andx-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2362] unsigned-gt:netbios-ss-smb-nt_rename-bytecount:0xffffffff:2048:no [2363] string-match:netbios-ss-smb-nt_rename-buffer:\x00\x7e\x00.\x00.\x00\.(fcase =no) [2364] string-match:tds-sybase-client-query-payload:dbcc checkverify\((fcase =yes) [2365] string-match:smtp-mail-cmd-param:\x90\x90\x90\xeb\x32\x5b\x53\x32\xe4\x83\xc3\x0b\x4b(fcase =no) [2366] numerical-eq:http-dst-port:0xffffffff:6588:no [2367] unsigned-gt:http-req-uri-length:0xffffffff:340:no [2368] string-match:tds-mssql-client-query-payload:\x00p\x00w\x00d\x00e\x00n\x00c\x00r\x00y\x00p\x00t\x00(fcase =yes) [2369] string-match:tds-mssql-client-query-payload:\x00r\x00e\x00p\x00l\x00i\x00c\x00a\x00t\x00e\x00\(\x00(fcase =yes) [2370] string-match:netbios-ss-tds-client-query-payload:\x00p\x00w\x00d\x00e\x00n\x00c\x00r\x00y\x00p\x00t\x00(fcase =yes) [2371] string-match:netbios-ss-tds-client-query-payload:\x00r\x00e\x00p\x00l\x00i\x00c\x00a\x00t\x00e\x00\(\x00(fcase =yes) [2372] numerical-eq:icmp-echo-reply-id:0xffffffff:667:no [2373] numerical-eq:icmp-echo-reply-id:0xffffffff:6667:no [2374] string-match:icmp-echo-reply-payload:\x66\x69\x63\x6B\x65\x6e(fcase =no) [2375] string-match:smtp-SCR-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2376] string-match:smtp-SCR-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2377] string-match:smtp-PIF-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2378] string-match:smtp-PIF-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2379] string-match:smtp-CMD-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2380] string-match:smtp-CMD-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2381] string-match:smtp-EXE-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2382] string-match:smtp-EXE-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2383] string-match:smtp-BAT-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2384] string-match:smtp-BAT-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2385] string-match:pop3-SCR-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2386] string-match:pop3-SCR-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2387] string-match:pop3-PIF-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2388] string-match:pop3-PIF-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2389] string-match:pop3-CMD-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2390] string-match:pop3-CMD-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2391] string-match:pop3-EXE-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2392] string-match:pop3-EXE-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2393] string-match:pop3-BAT-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2394] string-match:pop3-BAT-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2395] string-match:imap-SCR-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2396] string-match:imap-SCR-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2397] string-match:imap-PIF-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2398] string-match:imap-PIF-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2399] string-match:imap-CMD-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2400] string-match:imap-CMD-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2401] string-match:imap-EXE-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2402] string-match:imap-EXE-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2403] string-match:imap-BAT-message-body:opAAZDRQAFwDmqZpmlRMRDw0(fcase =no) [2404] string-match:imap-BAT-message-body:LGmapmkkHBQMBNM0zbL8M/Ts(fcase =no) [2405] string-match:smtp-ZIP-message-body:m2jMCIcAAAiH(fcase =no) [2406] string-match:smtp-ZIP-message-body:jKgF7YcAAO2H(fcase =no) [2407] string-match:pop3-ZIP-message-body:m2jMCIcAAAiH(fcase =no) [2408] string-match:pop3-ZIP-message-body:jKgF7YcAAO2H(fcase =no) [2409] string-match:imap-ZIP-message-body:m2jMCIcAAAiH(fcase =no) [2410] string-match:imap-ZIP-message-body:jKgF7YcAAO2H(fcase =no) [2411] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:5631:no [2412] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:5632:no [2413] string-match:pktsearch-rsp-text:09\xA4\xA40(fcase =no) [2414] string-match:pktsearch-rsp-text:00000129(fcase =no) [2415] string-match:smtp-expn-cmd-param:\x8b\xc4\x83\xc0\x17\x50\xb8\x0e\xb5\xe9\x77\xff\xd0\x33\xdb\x53\xb8\x2d\xf3\xe8\x77\xff\xd0\x63\x6d\x64\x2e\x65\x78\x65\x0d\x0a(fcase =no) [2416] string-match:dns-response-qname:update.messenger.yahoo.com(fcase =no) [2417] string-match:dns-response-qname:update.pager.yahoo.com(fcase =no) [2418] string-match:dns-response-qname:msg.yahoo.com(fcase =no) [2419] string-match:dns-response-qname:cs.yahoo.com(fcase =no) [2420] string-match:pktsearch-req-text:\x00File Transfer\x00(fcase =no) [2421] string-match-ap:req-content-text:OFT2\x01\x00\x01\x01(fcase =no)(offset=0, depth=0) [2422] string-match-ap:req-content-text:OFT2\x01\x00\x02\x02(fcase =no)(offset=0, depth=0) [2423] string-match-ap:rsp-content-text:OFT2\x01\x00\x01\x01(fcase =no)(offset=0, depth=0) [2424] string-match-ap:rsp-content-text:OFT2\x01\x00\x02\x02(fcase =no)(offset=0, depth=0) [2425] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)TERM(fcase =yes) [2426] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)TERMCAP(\x00|\x01)\x2f(fcase =yes) [2427] string-match:telnet-client-environ-sb-param:(\x03|\x00|\x01)TERMCAP\x01(fcase =yes) [2428] string-match:netbios-ss-dcerpc-req-WINREG-request-payload:R\x00A\x00S\x00\x00(fcase =no) [2429] string-match:smtp-user-cmd-param:^bin(fcase =no) [2430] string-match:http-req-uri-path:webspris\.cgi(fcase =yes) [2431] string-match:http-req-uri-query-param-name:sp\.nextform(fcase =yes) [2432] string-match:ntp-control-message-data:\xe8.\xff\xff(fcase =no) [2433] string-match:ntp-control-message-data:\x90{12}(fcase =no) [2434] string-match:ntp-control-message-data:\x99\x99\x99/x99(fcase =no) [2435] string-match:ntp-control-message-data:\x9a....\x07(fcase =no) [2436] string-match:ntp-control-message-data:\xcd\x80(fcase =no) [2437] unsigned-gt:ntp-control-message-count:0xffffffff:0x100:no [2438] string-match:ntp-control-message-data:stratum=\x90\x90(fcase =no) [2439] string-match:ntp-control-message-data:xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b(fcase =no) [2440] string-match:ntp-control-message-data:\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f(fcase =no) [2441] string-match:pktsearch-req-text:^version(fcase =no) [2442] string-match:pktsearch-rsp-text:^WindowsMite Server v1\.0(fcase =no) [2443] string-match:http-req-uri-query-params:^/jsp/(fcase =yes) [2444] string-match:http-req-uri-query-params:^? (fcase =yes) [2445] string-match:http-req-uri-path:source\.jsp$(fcase =yes) [2446] string-match:http-req-uri-path:realpath\.jsp(fcase =yes) [2447] numerical-eq:netbios-ss-dcerpc-req-SRVSVC-request-op-num:0xffffffff:15:no [2448] string-match:netbios-ss-dcerpc-req-SRVSVC-request-payload:\x01\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff(fcase =no) [2449] string-match:smtp-invalid-cmd-text:Croot\x09\x09\x09\x09\x09\x09\x09Mprog,P=/bin(fcase =no) [2450] string-match:smtp-invalid-cmd-text:C\x3adaemon(fcase =no) [2451] string-match:smtp-invalid-cmd-text:Croot(fcase =no) [2452] string-match:smtp-invalid-cmd-text:Mprog,P=/bin/(fcase =no) [2453] string-match:upnp-req-post-uri-text:/upnp/service/WANPPPConnection(fcase =no) [2454] string-match:upnp-req-soapaction-header-text:#GetUserName(fcase =no) [2455] unsigned-gt:kerberos-length:0xffffffff:0xfffffffc:no [2456] string-match:pktsearch-req-text:User-Agent: Morpheus(fcase =yes) [2457] string-match:pktsearch-req-text:UserAgent: Morpheus(fcase =yes) [2458] string-match:pktsearch-req-text:User-Agent: MMMM(fcase =yes) [2459] string-match:pktsearch-req-text:User-Agent: morph(fcase =yes) [2460] string-match:pktsearch-req-text:GNUTELLA CONNECT(fcase =yes) [2461] string-match:http-get-req-header:User-Agent: Morpheus(fcase =yes) [2462] string-match:http-get-req-header:UserAgent: Morpheus(fcase =yes) [2463] string-match:http-get-req-header:User-Agent: MMMM(fcase =yes) [2464] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:5555:no [2465] string-match:pktsearch-rsp-text:^ServeMe 1\.(fcase =no) [2466] string-match:http-req-uri-path:\.(idc|idw|ida|idq)(fcase =yes) [2467] string-match:http-req-uri-query-params:\x90\x90\x68\x58\xcb\xd3\x78\x01\x90\x90\x68\x58\xcb\xd3\x78\x01\x90\x90\x68\x58\xcb\xd3\x78\x01\x90\x90\x90\x90\x81\x90\xc3\x03\x8b\x00\x53\x1b\x53\xff\x78\x00\x25\x75\x30\x30(fcase =no) [2468] unsigned-gt:http-req-uri-query-param-value-length:0xffffffff:260:no [2469] string-match:http-req-uri-path:forms\.exe(fcase =yes) [2470] numerical-eq:icmp-echo-reply-id:0xffffffff:9015:no [2471] string-match:icmp-echo-reply-payload:niggahbitch(fcase =no) [2472] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:7306:no [2473] string-match:pktsearch-rsp-text:Netspy Version (fcase =no) [2474] string-match:pktsearch-rsp-text:Netspy Version .\.(fcase =no) [2475] string-match:pktsearch-rsp-text:OK!\x0d\x0a(fcase =no) [2476] string-match:rpc-call-data:\x90\x03\xe0\x34\x92\x23\xe0\x20\xa2\x02\x20\x0c(fcase =no) [2477] string-match:pktsearch-req-text:\x90\x03\xe0\x34\x92\x23\xe0\x20\xa2\x02\x20\x0c(fcase =no) [2478] string-match:ftp-cwd-cmd-param: **********(fcase =no) [2479] string-match:ftp-retr-cmd-param: **********(fcase =no) [2480] string-match:ftp-stor-cmd-param: **********(fcase =no) [2481] string-match:ftp-stou-cmd-param: **********(fcase =no) [2482] string-match:ftp-appe-cmd-param: **********(fcase =no) [2483] string-match:ftp-rnfr-cmd-param: **********(fcase =no) [2484] string-match:ftp-rnto-cmd-param: **********(fcase =no) [2485] string-match:ftp-dele-cmd-param: **********(fcase =no) [2486] string-match:ftp-rmd-cmd-param: **********(fcase =no) [2487] string-match:ftp-mkd-cmd-param: **********(fcase =no) [2488] string-match:ftp-list-cmd-param: **********(fcase =no) [2489] string-match:ftp-nlst-cmd-param: **********(fcase =no) [2490] string-match:ftp-stat-cmd-param: **********(fcase =no) [2491] string-match:ftp-size-cmd-param: **********(fcase =no) [2492] string-match:ftp-xcwd-cmd-param: **********(fcase =no) [2493] string-match:ftp-xrmd-cmd-param: **********(fcase =no) [2494] string-match:ftp-xmkd-cmd-param: **********(fcase =no) [2495] string-match:ftp-mdtm-cmd-param: **********(fcase =no) [2496] unsigned-gt:ftp-site-cmd-param-length:0xffffffff:35:no [2497] string-match:ftp-site-cmd-param:CHOWN (fcase =yes) [2498] unsigned-gt:http-req-if-modified-since-header-length:0xffffffff:1300:no [2499] string-match:pktsearch-mstream-h2a-req-text:ping(fcase =no) [2500] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:54321:no [2501] numerical-eq:pktsearch-req-1st-4b:0xFF000000:0x21000000:no [2502] numerical-eq:pktsearch-rsp-1st-4b:0xFF000000:0x21000000:no [2503] unsigned-gt:ident-req-text-len:0xffffffff:127:no [2504] numerical-eq:ident-valid-ident-req:0xffffffff:2:no [2505] numerical-eq:ident-rsp-type:0xffffffff:3:no [2506] numerical-eq:http-dst-port:0xffffffff:2002:no [2507] string-match:http-req-uri-path:login\.exe(fcase =yes) [2508] string-match:http-req-uri-query-param-name:user(fcase =yes) [2509] unsigned-gt:http-req-uri-query-param-value-length:0xffffffff:400:no [2510] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:33333:no [2511] string-match:pktsearch-rsp-text:^210 Prosiak v. (fcase =no) [2512] string-match:pktsearch-rsp-text:^210 Prosiak v\.0\.65(fcase =no) [2513] string-match:pktsearch-rsp-text:^210 Prosiak v\.(fcase =no) [2514] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:44444:no [2515] string-match:pktsearch-req-text:^getinfo(fcase =no) [2516] string-match:pktsearch-req-text:^#GUI#(fcase =no) [2517] string-match:rpc-call-data:\x33\xDB\x33\xC0\xB0\x1B\xCD\x80\x33\xD2\x33\xc0\x8b\xDA\xb0\x06\xcd\x80\xfe\xc2\x75\xf4\x31\xc0\xb0\x02\xcd\x80(fcase =no) [2518] string-match:pktsearch-req-text:\x33\xDB\x33\xC0\xB0\x1B\xCD\x80\x33\xD2\x33\xc0\x8b\xDA\xb0\x06\xcd\x80\xfe\xc2\x75\xf4\x31\xc0\xb0\x02\xcd\x80(fcase =no) [2519] string-match:rpc-call-data:\xeb\x3c\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\xf7\x83\xc7\x10\x89\x3e\x4f\x47\xfe\x07\x75\xfb\x47\x89\x7e\x04\x4f\x47\xfe\x07\x75\xfb\x47\x89\x7e\x08\x4f(fcase =no) [2520] string-match:pktsearch-req-text:\xeb\x3c\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\xf7\x83\xc7\x10\x89\x3e\x4f\x47\xfe\x07\x75\xfb\x47\x89\x7e\x04\x4f\x47\xfe\x07\x75\xfb\x47\x89\x7e\x08\x4f(fcase =no) [2521] unsigned-gt:netbios-ss-dcerpc-mgmt-element-11:0xffffffff:4:no [2522] unsigned-gt:dcerpc-mgmt-element-11:0xffffffff:4:no [2523] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00d\x00i\x00s\x00p\x00l\x00a\x00y\x00q\x00u\x00e\x00u\x00e\x00m\x00e\x00s\x00g\x00s(fcase =yes) [2524] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00d\x00i\x00s\x00p\x00l\x00a\x00y\x00q\x00u\x00e\x00u\x00e\x00m\x00e\x00s\x00g\x00s(fcase =yes) [2525] string-match:ftp-mkd-cmd-param:\x31\xdb\x89\xd8\xb0\x17\xcd\x80(fcase =no) [2526] unsigned-gt:ftp-mkd-cmd-param-length:0xffffffff:512:no [2527] unsigned-gt:ftp-cwd-cmd-param-length:0xffffffff:512:no [2528] unsigned-gt:ftp-mkd-cmd-param-length:0xffffffff:200:no [2529] string-match:http-req-uri-path:(\\|/)auktion.pl$(fcase =yes) [2530] string-match:http-req-uri-query-param-name:menue(fcase =yes) [2531] numerical-eq:rsh-username-client-login-length:0xffffffff:0:no [2532] numerical-eq:rsh-client-handshake-serveruser-text-length:0xffffffff:0:no [2533] unsigned-gt:pop3-top-cmd-param-length:0xffffffff:512:no [2534] string-match:irc-req-invite-cmd-param:x%n%[1-9](fcase =no) [2535] string-match:irc-req-kill-cmd-param:x%n%[1-9](fcase =no) [2536] string-match:irc-req-privmsg-cmd-param:\xeb\x5b\x5e\x31\xc0\xb0\x02\x31\xdb\xcd\x80(fcase =no) [2537] numerical-eq:dns-request-additional-type:0xffffffff:41:no [2538] unsigned-gt:dns-request-additional-class:0xffffffff:32766:no [2539] unsigned-gt:imap-copy-cmd-param-length:0xffffffff:1024:no [2540] string-match:http-req-uri-path:quikstore\.cfg(fcase =yes) [2541] unsigned-gt:smtp-rcpt-cmd-param-length:0xffffffff:800:no [2542] string-match:smtp-rcpt-cmd-param:a%A%A%A%A%A(fcase =no) [2543] unsigned-gt:http-req-uri-query-params-length:0xffffffff:2000:no [2544] string-match:http-req-uri-path:\.jsp$(fcase =no) [2545] string-match:pktsearch-rsp-text:^\x0d\x0d\x0aC:\\(fcase =no) [2546] string-match:pktsearch-rsp-text:^\x0d\x0d\x0aD:\\(fcase =no) [2547] string-match:pktsearch-rsp-text:^\x0d\x0d\x0aE:\\(fcase =no) [2548] string-match:pktsearch-rsp-text:^\x0d\x0d\x0aF:\\(fcase =no) [2549] string-match:pktsearch-rsp-text:^\x0d\x0d\x0aG:\\(fcase =no) [2550] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:7777:no [2551] unsigned-gt:ftp-user-cmd-param-length:0xffffffff:240:no [2552] string-match:ftp-pass-cmd-param:-saint(fcase =no) [2553] string-match:http-req-uri-path:passwd\.php3$(fcase =no) [2554] string-match:http-req-uri-query-param-name:try(fcase =yes) [2555] string-match:http-req-uri-query-param-value:g23(fcase =yes) [2556] string-match:http-req-uri-query-param-value:+;+(fcase =no) [2557] string-match:pktsearch-req-text:^hidestart(fcase =no) [2558] string-match:pktsearch-req-text:^showstart(fcase =no) [2559] string-match:pktsearch-req-text:^hidetastbar(fcase =no) [2560] string-match:pktsearch-req-text:^4testmessage(fcase =no) [2561] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:4545:no [2562] string-match:smtp-message-body:[\x22\x27]jav\x26\x23X41sc\x26\x230010;ript:(fcase =yes) [2563] string-match:smtp-message-body:javasc\x26\x230010;\x26\x230010;ript(fcase =yes) [2564] string-match:smtp-message-body:\x3cimg src=[\x22\x27](java|vb)script:(fcase =yes) [2565] string-match:smtp-message-body:\x3cframe src=[\x22\x27](java|vb)script:(fcase =yes) [2566] string-match:smtp-message-body:\x3ciframe src=[\x22\x27](java|vb)script:(fcase =yes) [2567] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:23432:no [2568] string-match:pktsearch-rsp-text:^PAS(fcase =no) [2569] string-match:pktsearch-req-text:^PAS (fcase =no) [2570] string-match:pktsearch-rsp-text:^RQS 1(fcase =no) [2571] string-match:pktsearch-req-text:^RQS(fcase =no) [2572] numerical-eq:dcerpc-error-code:0xffffffff:12:no [2573] numerical-eq:netbios-ss-error-code:0xffffffff:16:no [2574] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00s\x00h\x00o\x00w\x00c\x00o\x00l\x00v(fcase =yes) [2575] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00s\x00h\x00o\x00w\x00c\x00o\x00l\x00v(fcase =yes) [2576] string-match:http-req-uri-path:(\\|/)active\.log$(fcase =yes) [2577] string-match:pop3-user-cmd-param:^x#(9){100}(fcase =no) [2578] string-match:upnp-req-before-method-text:\x90\x90\x4D\x3F\xE3\x77\x90\x90(fcase =no) [2579] string-match:imap-lsub-cmd-param:\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b(fcase =no) [2580] string-match:imap-lsub-cmd-param:\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30(fcase =no) [2581] unsigned-gt:imap-lsub-cmd-param-length:0xffffffff:1024:no [2582] string-match:lpr-receive-control-file-content:\nProot(fcase =no) [2583] string-match:lpr-receive-control-file-content:\nU(fcase =no) [2584] string-match:smtp-vrfy-cmd-param:\x90\x90\xEB\x53\xEB\x20\x5B\xFC(fcase =no) [2585] numerical-eq:ident-rsp-type:0xffffffff:2:no [2586] unsigned-gt:ident-rsp-text-len:0xffffffff:980:no [2587] numerical-eq:pktsearch-udp-dst-port:0xffffffff:47262:no [2588] numerical-eq:pktsearch-udp-dst-port:0xffffffff:26274:no [2589] string-match:pktsearch-req-text:^Ping(fcase =no) [2590] string-match:pktsearch-req-text:^\|y7MS5(fcase =no) [2591] string-match:pktsearch-rsp-text:^Delta Source (fcase =no) [2592] string-match:pktsearch-rsp-text:^\x68\x75\x35\x5E\x02\x3B\x42\x5D\x22\x29\x47\x29\x04\x09\x63\x22\x75(fcase =no) [2593] string-match:ftp-mkd-cmd-param:\xb0\x3d\xcd\x80(fcase =no) [2594] string-match:ftp-mkd-cmd-param:\xb0\x3b\xcd\x80(fcase =no) [2595] string-match:http-req-uri-path:(\\|/)webdist\.cgi$(fcase =no) [2596] string-match:http-req-uri-query-param-name:distloc(fcase =no) [2597] string-match:http-req-uri-query-param-value:;(cat|cp|sendmail|/bin/|/usr/|/sbin/|/etc/)(fcase =no) [2598] numerical-eq:dns-loop-check:0xffffffff:1:no [2599] string-match:pktsearch-req-text:^con(fcase =no) [2600] string-match:pktsearch-rsp-text:^con1\.08(fcase =no) [2601] unsigned-gt:smtp-invalid-cmd-text-length:0xffffffff:1000:no [2602] unsigned-gt:smtp-cmd-param-length:0xffffffff:1000:no [2603] numerical-eq:smtp-command-counter:0xffffffff:1000:no [2604] numerical-eq:rdp-protocol-anomaly:0xffffffff:1:no [2605] unsigned-lt:rdp-rsp-text-len:0xffffffff:64:no [2606] numerical-eq:pktsearch-dst-port:0xffffffff:27184:no [2607] string-match:pktsearch-req-text:^stTestMessage(fcase =no) [2608] string-match:pktsearch-rsp-text:^stAlvgus's Trojan Server(fcase =no) [2609] numerical-eq:tds-mssql-req-type:0xffffffff:0x12:no [2610] numerical-eq:tds-error-code:0xffffffff:3:no [2611] numerical-eq:tds-error-code:0xffffffff:5:no [2612] string-match:http-req-uri-path:(\\|/)cgiproc$(fcase =no) [2613] string-match:http-req-query-param-name:Nocfile(fcase =yes) [2614] unsigned-gt:snmp-OID-msg-qllength:0xffffffff:128:no [2615] string-match:http-req-uri-path:owssvr\.dll(fcase =yes) [2616] string-match:http-req-uri-query-param-value:%250D%250A(fcase =yes) [2617] string-match:smtp-ZIP-message-body:H8ydAD4AAAA+(fcase =no) [2618] string-match:pop3-ZIP-message-body:H8ydAD4AAAA+(fcase =no) [2619] string-match:imap-ZIP-message-body:H8ydAD4AAAA+(fcase =no) [2620] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:6666:no [2621] numerical-eq:pktsearch-req-1st-4b:0xFFFFFF00:0x36363600:no [2622] numerical-eq:pktsearch-rsp-1st-4b:0xFFFFFF00:0x36363600:no [2623] string-match:smtp-invalid-cmd-text:^WIZ[ \t\n\r](fcase =yes) [2624] string-match:http-req-uri-path:talkback\.cgi(fcase =yes) [2625] string-match:http-req-uri-query-param-value:\.\.(/|\\)(fcase =yes) [2626] string-match:rtsp-req-content-text:GET_PARAMETER / RTSP/1.0[\r\n](fcase =no) [2627] string-match:rtsp-req-content-text:DESCRIBE / RTSP/1.0\nSession:[\r\n](fcase =no) [2628] string-match:pktsearch-req-text:^Girl(fcase =no) [2629] string-match:pktsearch-rsp-text:^GirlFriend Server (fcase =no) [2630] string-match:http-req-uri-path:carbo\.dll(fcase =yes) [2631] string-match:http-req-uri-query-param-name:icatcommand(fcase =yes) [2632] string-match:http-req-uri-query-param-value:\.\.\\\.\.\\(fcase =yes) [2633] string-match:http-req-uri-query-param-name:catalogname(fcase =yes) [2634] string-match:pktsearch-rsp-text:^Vagr Nocker (fcase =no) [2635] string-match:smtp-helo-cmd-param:all-mail\.overrun\.test(fcase =no) [2636] string-match:smtp-mail-cmd-param:\x90\x90\x90\x90\x8b\xec\x8b\xdc\xb8\x86\xa9\xf1\x77\x33\xf6\x56\xb9\xff\xff\xff\xff\x83\xe9\xd7\x83\x6b(fcase =no) [2637] string-match:http-req-uri-path:(\\|/)fpcount\.exe(fcase =yes) [2638] string-match:pktsearch-req-text:X-MMS-IM-Format:(fcase =no) [2639] string-match:pktsearch-req-text:FN=(fcase =no) [2640] string-match:pktsearch-req-text:%20%20(fcase =no) [2641] string-match:http-req-uri-path:(\\|/)(mylog\.html|mlog\.html|mylog\.phtml|mlog\.phtml)(fcase =no) [2642] string-match:http-req-uri-query-param-name:screen(fcase =no) [2643] string-match:pktsearch-rsp-text:^\x0d\x0a-------- YOU ARE(fcase =no) [2644] string-match:pktsearch-rsp-text:^\x23\x20\x2b\x2d(fcase =no) [2645] string-match:pktsearch-rsp-text:YAT copyright by HSE(fcase =no) [2646] string-match:http-req-uri-path:\.bat"+(fcase =yes) [2647] string-match:netbios-ss-smb-CREATE-filename:s\x00c\x00r\x00s\x00v\x00r\x00\.\x00e\x00x\x00e(fcase =yes) [2648] string-match:netbios-ss-smb-CREATE-filename:scrsvr\.exe(fcase =yes) [2649] string-match:smtp-rcpt-cmd-param:\.(com|net|org|gov|edu)\.[\r\n](fcase =no) [2650] string-match:http-get-req-uri-path:/LoginResponse(fcase =yes) [2651] string-match:http-get-req-header:\nCompaq-WBEM-UserName: (fcase =yes) [2652] unsigned-gt:http-get-req-header-length:0xffffffff:420:no [2653] numerical-eq:h225-error-code:0xffffffff:SourceAddressH323IDLengthAnomaly:no [2654] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:20000:no [2655] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:20001:no [2656] string-match:pktsearch-rsp-text:^Millenium [12]\.(fcase =no) [2657] string-match:pktsearch-req-text:^Millenium [12]\.(fcase =no) [2658] unsigned-gt:rpc-fraglen:0xffffffff:0x7f000000:no [2659] string-match:pktsearch-req-text:X-Kazaa-Network: Grokster\r\n(fcase =no) [2660] string-match:http-req-header:X-Kazaa-Network: Grokster\r(fcase =no) [2661] unsigned-gt:http-req-uri-path-length:0xffffffff:300:no [2662] string-match:http-req-uri-path:\.printer\?(fcase =yes) [2663] unsigned-gt:http-req-host-header-length:0xffffffff:260:no [2664] string-match:http-req-uri-path:\.printer(fcase =yes) [2665] string-match:http-req-host-header:\xc0\x11\x33\xc9\x66\xb9\x20\x01\x80\x30\x03\x40\xe2\xfa\xeb\x03(fcase =no) [2666] numerical-eq:socks-v5-domainname-text-len:0xffffffff:255:no [2667] unsigned-gt:socks-v5-domainname-text-len:0xffffffff:127:no [2668] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:4540:no [2669] string-match:pktsearch-req-text:^swap(fcase =no) [2670] string-match:netbios-ss-smb-open_andx-buffer:\\shadow\x00(fcase =no) [2671] string-match:netbios-ss-smb-open_andx-buffer:\\\x00s\x00h\x00a\x00d\x00o\x00w\x00(fcase =no) [2672] string-match:netbios-ss-smb-nt_create_andx-buffer:\\passwd\x00(fcase =no) [2673] string-match:netbios-ss-smb-nt_create_andx-buffer:\\\x00p\x00a\x00s\x00s\x00w\x00d\x00(fcase =no) [2674] numerical-eq:rpc-call-version:0xffffffff:10:no [2675] numerical-eq:rpc-call-prognum:0xffffffff:100232:no [2676] string-match:rpc-call-data:\x89\x3e\x83\xc7\x08\x88\x47\xff\x89\x7e\x04(fcase =no) [2677] string-match:rpc-call-data:\x2f\x62\x69\x6e\x2f\x73\x68\xff\x2d\x63\xff(fcase =no) [2678] string-match:pktsearch-req-text:\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x87\x88\x00\x00\x00\x0a\x00\x00\x00\x01(fcase =no) [2679] string-match:pktsearch-req-text:\x89\x3e\x83\xc7\x08\x88\x47\xff\x89\x7e\x04(fcase =no) [2680] string-match:pktsearch-req-text:\x2f\x62\x69\x6e\x2f\x73\x68\xff\x2d\x63\xff(fcase =no) [2681] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00c\x00r\x00e\x00a\x00t\x00e\x00p\x00r\x00i\x00v\x00a\x00t\x00e\x00q\x00u\x00e\x00u\x00e\x00 (fcase =yes) [2682] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00c\x00r\x00e\x00a\x00t\x00e\x00p\x00r\x00i\x00v\x00a\x00t\x00e\x00q\x00u\x00e\x00u\x00e\x00 (fcase =yes) [2683] string-match:http-req-uri-path:/doc/(fcase =no) [2684] string-match:http-req-uri-path:/packages$(fcase =no) [2685] string-match:http-req-uri-path:(\\|/)shtml\.(exe|dll)(\\|/)(fcase =yes) [2686] string-match:http-req-uri-path:\.(asp|shtml|html)(fcase =yes) [2687] string-match:http-req-uri-path:\.(asp|asa)%3(F|f)+\.htr(fcase =yes) [2688] string-match:pktsearch-req-text:\x44\xff\xff\x02(fcase =no) [2689] string-match:pktsearch-req-text:\x3c\x60\x2f\x73\x60\x63\x68\x01\x38\x63\xff(fcase =no) [2690] string-match:pktsearch-req-text:\x7c\x65\x1b\x78\x7c\x63\x1a\x78\x44\xff\xff\x02(fcase =no) [2691] string-match:http-post-req-message-body:y3k(@|%40)server\.y3k(fcase =no) [2692] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:667:no [2693] string-match:pktsearch-req-text:^cmdping(fcase =no) [2694] string-match:pktsearch-rsp-text:^pingback(fcase =no) [2695] numerical-eq:portmapper-call-version:0xffffffff:2:no [2696] numerical-eq:portmapper-call-prognum:0xffffffff:100000:no [2697] numerical-eq:portmapper-call-procedure:0xffffffff:4:no [2698] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00r\x00e\x00a\x00d\x00p\x00k\x00f\x00r\x00o\x00m\x00v\x00a\x00r\x00b\x00i\x00n\x00 (fcase =yes) [2699] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00r\x00e\x00a\x00d\x00p\x00k\x00f\x00r\x00o\x00m\x00v\x00a\x00r\x00b\x00i\x00n\x00 (fcase =yes) [2700] string-match:http-req-uri-path:bb-hostsvc\.sh$(fcase =no) [2701] string-match:http-req-uri-query-param-name:HOSTSVC(fcase =yes) [2702] string-match:http-req-uri-query-param-value:/\.\.(/|\\)(fcase =no) [2703] unsigned-gt:pktsearch-calicense-req-pktlen:0xffffffff:100:no [2704] string-match:pktsearch-calicense-req-text: GCR CHECKSUMS(fcase =no) [2705] unsigned-gt:pktsearch-calicense-req-pktlen:0xffffffff:200:no [2706] string-match:pktsearch-calicense-req-text: GCR HOSTNAME(fcase =no) [2707] string-match:pktsearch-calicense-req-text: GCR NETWORK(fcase =no) [2708] unsigned-gt:pktsearch-calicense-req-pktlen:0xffffffff:226:no [2709] string-match:pktsearch-calicense-req-text: GETCONFIG SELF(fcase =no) [2710] unsigned-gt:pktsearch-calicense-req-pktlen:0xffffffff:300:no [2711] string-match:pktsearch-calicense-req-text: PUTOLF (fcase =no) [2712] string-match:irc-req-user-cmd-param:\xb0\x29\xcd\x80(fcase =no) [2713] string-match:irc-req-user-cmd-param:\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80(fcase =no) [2714] string-match:irc-req-user-cmd-param:\xb0\x10\x89\x46\x08\xb0\x66\xfe\xc3\xcd\x80(fcase =no) [2715] unsigned-gt:rlogin-login-fail-counter:0xffffffff:0:no [2716] string-match:pktsearch-rsp-text:Optix (fcase =no) [2717] string-match:pktsearch-rsp-text:Optix Pro v(fcase =no) [2718] string-match:pktsearch-rsp-text:Connected Successfully!\x0d\x0a(fcase =no) [2719] unsigned-gt:smtp-url-length:0xffffffff:256:no [2720] string-match:smtp-expn-cmd-param:decode(fcase =no) [2721] string-match:smtp-vrfy-cmd-param:decode(fcase =no) [2722] string-match:smtp-rcpt-cmd-param:\x3cdecode\x3c(fcase =no) [2723] string-match:smtp-rcpt-cmd-param:\x22decode\x22(fcase =no) [2724] string-match:smtp-rcpt-cmd-param:[ \t]decode[ \t\r\n](fcase =no) [2725] string-match:http-get-req-uri-path:(\\|/)tbl_copy\.php(fcase =yes) [2726] string-match:http-get-req-uri-query-param-name:strCopyTableOK(fcase =no) [2727] string-match:http-get-req-uri-query-param-value:\.passthru(fcase =no) [2728] string-match:http-get-req-uri-path:(\\|/)tbl_rename\.php(fcase =yes) [2729] string-match:http-get-req-uri-query-param-name:strRenameTableOK(fcase =no) [2730] numerical-eq:h225-error-code:0xffffffff:SourceAddressEmailLengthAnomaly:no [2731] string-match:telnet-server-data-text:^Truva Server v1.2 (fcase =no) [2732] string-match:tds-mssql-client-query-payload:\x39\x20\xd0\x00\x92\x01\xc2\x00\x52\x00\x55\x00\x39\x20\xec\x00(fcase =no) [2733] string-match:tds-mssql-client-query-payload:\x48\x00\x25\x00\x78\x00\x77\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x33\x00\xc0\x00\x50\x00\x68\x00\x2e\x00(fcase =no) [2734] unsigned-gt:tds-mssql-query-req-packet-length:0xffffffff:1024:no [2735] string-match:netbios-ss-tds-client-query-payload:\x39\x20\xd0\x00\x92\x01\xc2\x00\x52\x00\x55\x00\x39\x20\xec\x00(fcase =no) [2736] string-match:netbios-ss-tds-client-query-payload:\x48\x00\x25\x00\x78\x00\x77\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x33\x00\xc0\x00\x50\x00\x68\x00\x2e\x00(fcase =no) [2737] unsigned-gt:netbios-ss-tds-client-query-packet-length:0xffffffff:1024:no [2738] string-match:http-req-uri-path:pccsmysqladm(fcase =no) [2739] string-match:http-req-uri-path:incs(\\|/)(fcase =no) [2740] string-match:http-req-uri-path:(\\|/)dbconnect\.inc$(fcase =no) [2741] unsigned-gt:tns-req-ksdwrt-param-text-len:0xffffffff:128:no [2742] unsigned-gt:snmp-err-index-msg-qllength:0xffffffff:4:no [2743] unsigned-gt:snmp-err-index-length-of-length:0xffffffff:2:no [2744] string-match:tftp-rrq-filename:hello\.all(fcase =yes) [2745] string-match:http-req-uri-path: (http|ftp)://\[( |?|/|#)(fcase =yes) [2746] string-match:http-req-uri-path: (http|ftp)://\[:( |?|/|#)(fcase =yes) [2747] string-match:mysql-req-authenticate-payload:root(fcase =yes) [2748] string-match:mysql-rsp-error-payload:Access denied for user(fcase =yes) [2749] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:32100:no [2750] string-match:pktsearch-rsp-text:^Accept,(fcase =no) [2751] string-match:http-req-uri-path:asp\x80#80$(fcase =yes) [2752] string-match:http-req-uri-path:asp\x80#80[ \t](fcase =yes) [2753] string-match:icmp-echo-payload:+++ATH0(fcase =no) [2754] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:13473:no [2755] string-match:pktsearch-req-text:^sndmsg\\(fcase =no) [2756] string-match:pktsearch-req-text:^get(fcase =no) [2757] string-match:rpc-call-data:\xc0\x2c\x7f\xff\xe2\x22\x3f\xf4\xa2\x04\x60\x03\xc0\x2c\x7f\xff\xe2\x22\x3f\xf8(fcase =no) [2758] string-match:pktsearch-req-text:\xc0\x2c\x7f\xff\xe2\x22\x3f\xf4\xa2\x04\x60\x03\xc0\x2c\x7f\xff\xe2\x22\x3f\xf8(fcase =no) [2759] string-match:tds-mssql-client-query-payload:\x0a\x00x\x00p\x00_\x00(fcase =yes) [2760] string-match:tds-mssql-client-query-payload:^x\x00p\x00_\x00(fcase =yes) [2761] unsigned-gt:tds-mssql-query-req-packet-length:0xffffffff:1000:no [2762] string-match:netbios-ss-tds-client-query-payload:\x0a\x00x\x00p\x00_\x00(fcase =yes) [2763] string-match:netbios-ss-tds-client-query-payload:^x\x00p\x00_\x00(fcase =yes) [2764] unsigned-gt:netbios-ss-tds-client-query-packet-length:0xffffffff:1000:no [2765] string-match:http-req-uri-path:^(/)?pls/admin_/$(fcase =yes) [2766] string-match:telnet-server-data-text:WinGate>(fcase =no) [2767] string-match:telnet-client-data-text:localhost(fcase =no) [2768] string-match:telnet-server-data-text:Connecting to host localhost\.\.\.Connected(fcase =no) [2769] string-match:telnet-server-data-text:Connecting to host localhost\.\.\.Out of buffers(fcase =no) [2770] string-match:telnet-client-data-text:localhost\nlocalhost\nlocalhost(fcase =no) [2771] string-match:telnet-client-data-text:localhost\r\nlocalhost\r\nlocalhost(fcase =no) [2772] string-match:http-req-header:Host: /(fcase =no) [2773] numerical-eq:pptp-req-control-msg-code:0xffffffff:7:no [2774] string-match:pptp-req-text:\x00\x03\x00\x03\x00\x00\x00\x00(fcase =no) [2775] numerical-eq:lpr-command-code:0xffffffff:77:no [2776] string-match:lpr-unsupport-cmd-buffer:user\n(fcase =no) [2777] string-match:smtp-message-body:mailto:",/c,,/m,,/folder,"javascr(fcase =yes) [2778] string-match:smtp-message-body: \.\.\r\n(fcase =no) [2842] string-match:pktsearch-rsp-text:\r\n\r\nDirectory of (fcase =no) [2843] string-match:pktsearch-rsp-text:File Not Found\r\n(fcase =no) [2844] string-match:pktsearch-req-text:dir( |\r\n)(fcase =no) [2845] string-match:pktsearch-rsp-text:Volume Serial Number is (fcase =no) [2846] string-match:pktsearch-rsp-text:\r\nAccess is denied\.\r\n(fcase =no) [2847] string-match:pktsearch-rsp-text:The command completed successfully\.\r\n(fcase =no) [2848] string-match:pktsearch-req-text:net (fcase =no) [2849] string-match:pktsearch-rsp-text:Transfer successful:(fcase =no) [2850] string-match:pktsearch-rsp-text:Error on server :(fcase =no) [2851] string-match:pktsearch-req-text:tftp(fcase =no) [2852] string-match:pktsearch-req-text:get(fcase =no) [2853] numerical-eq:pktsearch-win-sh-counter:0xffffffff:2:no [2854] string-match-ap:rsp-content-text:Microsoft\(R\) Windows NT\(TM\)(fcase =no)(offset=0, depth=0) [2855] string-match-ap:rsp-content-text:Microsoft Windows 2000 \[Version 5\.00(fcase =no)(offset=0, depth=0) [2856] string-match-ap:rsp-content-text:Microsoft Windows XP \[Version 5\..\.(fcase =no)(offset=0, depth=0) [2857] string-match-ap:rsp-content-text:Microsoft Windows \[Version 5\..\.(fcase =no)(offset=0, depth=0) [2858] numerical-eq:ssrs-cmd:0xffffffff:5:no [2859] unsigned-gt:ssrs-req-pktlen:0xffffffff:256:no [2860] numerical-eq:ssrs-invalid-flow:0xffffffff:1:no [2861] string-match:ssrs-req-text:;;;(fcase =no) [2862] unsigned-gt:ssrs-req-pktlen:0xffffffff:512:no [2863] numerical-eq:ssrs-invalid-flow:0xffffffff:2:no [2864] string-match:http-req-uri-path:(\\|/)convert\.bas$(fcase =yes) [2865] string-match:http-req-uri-path:^(/)?ows-bin/(fcase =no) [2866] string-match:http-req-uri-path:bat\x3F\x26(fcase =no) [2867] string-match:http-req-uri-path:\.bat(fcase =no) [2868] numerical-eq:smtp-error-code:0xffffffff:XEXCH50-FORMAT-ERROR:no [2869] unsigned-gt:smtp-xexch50-size:0xffffffff:0x80000000:no [2870] numerical-eq:finger-server-data-text-len:0xffffffff:38:no [2871] numerical-eq:finger-server-data-text-len:0xffffffff:39:no [2872] string-match:finger-server-data-text:That user does not want to be fingered(fcase =no) [2873] string-match:http-req-uri-path:(\\|/)nph-test-cgi(fcase =yes) [2874] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:1441:no [2875] string-match:pktsearch-req-text:^Hu r u?\x0d\x0a(fcase =no) [2876] string-match:pktsearch-rsp-text:^FreeServ\x0d\x0a(fcase =no) [2877] string-match:pktsearch-rsp-text:^ServerProt => Need Pass\.\.\.\x0d\x0a(fcase =no) [2878] string-match:http-req-uri-path:cfcache\.map(fcase =yes) [2879] string-match:pktsearch-req-text:^xchello(fcase =no) [2880] string-match:pktsearch-rsp-text:^xrR_Server version:(fcase =no) [2881] string-match:ssl-req-content-text:\xb0\xa4\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80(fcase =no) [2882] string-match:ssl-req-content-text:\.bugtraq(fcase =no) [2883] string-match:ssl-req-content-text:\.cinik(fcase =no) [2884] string-match:ssl-req-content-text:\.unlock(fcase =no) [2885] string-match:ssl-req-content-text:/tmp/script\.sh(fcase =no) [2886] string-match:pktsearch-req-text:^VERSI(fcase =no) [2887] string-match:pktsearch-rsp-text:^VERSI(fcase =no) [2888] string-match:pktsearch-rsp-text:^VERSI \(TheTheef\) - v1\.2(fcase =no) [2889] string-match:pktsearch-rsp-text:^VERSI \(TheTheef\) - v1\.3(fcase =no) [2890] unsigned-gt:ftp-cmd-param-length:0xffffffff:256:no [2891] string-match:ftp-cmd-param:%.%.%.%.%.%.(fcase =no) [2892] string-match:http-req-uri-path:(\\|/)wguest\.exe$(fcase =yes) [2893] string-match:http-req-query-param-name:template(fcase =yes) [2894] string-match:http-req-query-param-value:c:\\winnt\\system32\\(fcase =yes) [2895] numerical-eq:dns-request-hdr-opcode:0xffffffff:1:no [2896] numerical-eq:dns-request-answer-type:0xffffffff:1:no [2897] numerical-eq:dns-request-answer-class:0xffffffff:1:no [2898] string-match:dns-request-answer-rdata:(\xeb\x6e\x5e\xc6\x06\x9a\x31\xc9\x89\x4e\x01|\x80\xe8\xd7\xff\xff\xff/bin/sh)(fcase =no) [2899] string-match:dns-request-answer-rdata:(\xff\xff\xff/usr/bin/X11/xterm\xff-display|\xe8\xd7\xff\xff\xff/tmp/hi)(fcase =no) [2900] unsigned-gt:dns-request-answer-host-addr-length:0xffffffff:4:no [2901] unsigned-gt:dns-request-answer-host-addr-length:0xffffffff:1500:no [2902] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:1218:no [2903] string-match:pktsearch-rsp-text:Connection to (fcase =no) [2904] string-match:pktsearch-rsp-text:Schneckenkorn V1\.0(fcase =no) [2905] string-match:smtp-helo-cmd-param:\x90\x90\x90\x90\x90\x90\x90\xbb\x10(fcase =no) [2906] unsigned-gt:http-req-uri-query-params-length:0xffffffff:10240:no [2907] string-match:pktsearch-req-text:^\|FOLDERS\|(fcase =no) [2908] string-match:pktsearch-rsp-text:^\|FOLDERS\|(fcase =no) [2909] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00d\x00e\x00l\x00e\x00t\x00e\x00p\x00r\x00i\x00v\x00a\x00t\x00e\x00q\x00u\x00e\x00u\x00e\x00 (fcase =yes) [2910] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00d\x00e\x00l\x00e\x00t\x00e\x00p\x00r\x00i\x00v\x00a\x00t\x00e\x00q\x00u\x00e\x00u\x00e\x00 (fcase =yes) [2911] string-match:http-req-uri-path:\.asp::\$DATA(fcase =yes) [2912] unsigned-gt:snmp-set-varbind-value-field-length:0xffffffff:256:no [2913] string-match:snmp-set-varbind-object-id-field:^\x2b\x06\x01\x02\x01\x01\x05(fcase =no) [2914] string-match:smtp-EXE-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2915] string-match:smtp-EXE-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2916] string-match:smtp-COM-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2917] string-match:smtp-COM-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2918] string-match:smtp-BAT-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2919] string-match:smtp-BAT-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2920] string-match:smtp-CMD-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2921] string-match:smtp-CMD-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2922] string-match:smtp-PIF-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2923] string-match:smtp-PIF-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2924] string-match:smtp-SCR-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2925] string-match:smtp-SCR-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2926] string-match:smtp-ZIP-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2927] string-match:smtp-ZIP-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2928] string-match:smtp-ZIP-message-body:OJW/Oc7U9a7Y5dhFO2iRJN6q(fcase =no) [2929] string-match:smtp-ZIP-message-body:0KJ1U5wXTjzcEHrA8GkNdyi+(fcase =no) [2930] string-match:smtp-ZIP-message-body:lb85ztT1rtjl2EU7aJEk3qrQ(fcase =no) [2931] string-match:smtp-ZIP-message-body:onVTnBdOPNwQesDwaQ13KL4e(fcase =no) [2932] string-match:pop3-EXE-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2933] string-match:pop3-EXE-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2934] string-match:pop3-COM-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2935] string-match:pop3-COM-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2936] string-match:pop3-BAT-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2937] string-match:pop3-BAT-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2938] string-match:pop3-CMD-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2939] string-match:pop3-CMD-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2940] string-match:pop3-PIF-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2941] string-match:pop3-PIF-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2942] string-match:pop3-SCR-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2943] string-match:pop3-SCR-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2944] string-match:pop3-ZIP-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2945] string-match:pop3-ZIP-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2946] string-match:pop3-ZIP-message-body:OJW/Oc7U9a7Y5dhFO2iRJN6q(fcase =no) [2947] string-match:pop3-ZIP-message-body:0KJ1U5wXTjzcEHrA8GkNdyi+(fcase =no) [2948] string-match:pop3-ZIP-message-body:lb85ztT1rtjl2EU7aJEk3qrQ(fcase =no) [2949] string-match:pop3-ZIP-message-body:onVTnBdOPNwQesDwaQ13KL4e(fcase =no) [2950] string-match:imap-EXE-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2951] string-match:imap-EXE-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2952] string-match:imap-COM-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2953] string-match:imap-COM-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2954] string-match:imap-BAT-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2955] string-match:imap-BAT-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2956] string-match:imap-CMD-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2957] string-match:imap-CMD-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2958] string-match:imap-PIF-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2959] string-match:imap-PIF-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2960] string-match:imap-SCR-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2961] string-match:imap-SCR-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2962] string-match:imap-ZIP-message-body:8DiVvznO1PWu2OXYRTtokSTe(fcase =no) [2963] string-match:imap-ZIP-message-body:qtCidVOcF0483BB6wPBpDXco(fcase =no) [2964] string-match:imap-ZIP-message-body:OJW/Oc7U9a7Y5dhFO2iRJN6q(fcase =no) [2965] string-match:imap-ZIP-message-body:0KJ1U5wXTjzcEHrA8GkNdyi+(fcase =no) [2966] string-match:imap-ZIP-message-body:lb85ztT1rtjl2EU7aJEk3qrQ(fcase =no) [2967] string-match:imap-ZIP-message-body:onVTnBdOPNwQesDwaQ13KL4e(fcase =no) [2968] string-match:telnet-server-data-text:Bus Error\r\n(fcase =no) [2969] string-match:telnet-server-data-text:Segmentation fault\r\n(fcase =no) [2970] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:1981:no [2971] numerical-eq:pktsearch-rsp-1st-4b:0xFFFFFF00:0x30303100:no [2972] string-match:http-req-uri-path:(<|lt;)script(>|>)(fcase =yes) [2973] string-match:http-req-uri-path:/file/(fcase =yes) [2974] string-match:netbios-ss-smb-tree_connect_andx-buffer:::(fcase =no) [2975] string-match:netbios-ss-smb-tree_connect_andx-buffer::(/|\\)bin(/|\\)sh(fcase =yes) [2976] string-match:netbios-ss-smb-tree_connect_andx-buffer::\x00:\x00(fcase =no) [2977] string-match:netbios-ss-smb-tree_connect_andx-buffer:\x00:\x00(/|\\)B\x00I\x00N\x00(/|\\)\x00S\x00H(fcase =yes) [2978] string-match:irc-rsp-message:\.(advscan|asc) (fcase =yes) [2979] string-match:irc-rsp-message:\.(scanall|sa) (fcase =yes) [2980] string-match:irc-rsp-message:\.(scanstat|scanstop)(fcase =yes) [2981] string-match:irc-rsp-message:\.(scandel|stat) (fcase =yes) [2982] string-match:irc-rsp-message:\.ddos\.(syn|ack|random) \x30#f0(fcase =yes) [2983] string-match:irc-rsp-message:\.(syn|synflood) \x30#f0(fcase =yes) [2984] string-match:irc-rsp-message:\.(udp|udpflood) (fcase =yes) [2985] string-match:irc-rsp-message:\.(tcp|tcpflood) (syn|ack|random) \x30#f0(fcase =yes) [2986] string-match:irc-rsp-message:\.(ping|pingflood) (fcase =yes) [2987] string-match:irc-rsp-message:\.(icmpflood|imcp) \x30#f0(fcase =yes) [2988] string-match:irc-rsp-message:\.ddos\.stop(fcase =yes) [2989] string-match:irc-rsp-message:\.synstop(fcase =yes) [2990] string-match:irc-rsp-message:\.pingstop(fcase =yes) [2991] string-match:irc-rsp-message:\.udpstop(fcase =yes) [2992] string-match:irc-rsp-message:\.(update|up) (http|ftp)://(fcase =yes) [2993] string-match:irc-rsp-message:\.(download|dl) (http|ftp)://(fcase =yes) [2994] string-match:irc-rsp-message::\.(execute|e) (fcase =yes) [2995] string-match:irc-rsp-message:\.(findfile|ff) (fcase =yes) [2996] string-match:irc-rsp-message:\.(rename|mv) (fcase =yes) [2997] string-match:irc-rsp-message:\.filefilestopp (fcase =yes) [2998] string-match:irc-rsp-message:\.email (fcase =yes) [2999] string-match:irc-rsp-message:\.(clone|c) (fcase =yes) [3000] string-match:irc-rsp-message:\.(clonestop) \x30#f0(fcase =yes) [3001] string-match:irc-rsp-message:\.(c_raw|c_r) \x30#f0(fcase =yes) [3002] string-match:irc-rsp-message:\.(c_mode|c_m) \x30#f0(fcase =yes) [3003] string-match:irc-rsp-message:\.(c_nick|c_n) \x30#f0(fcase =yes) [3004] string-match:irc-rsp-message:\.(c_join|c_j) \x30#f0(fcase =yes) [3005] string-match:irc-rsp-message:\.(c_part|c_p) \x30#f0(fcase =yes) [3006] string-match:irc-rsp-message:\.(c_privmsg|c_pm) \x30#f0(fcase =yes) [3007] string-match:irc-rsp-message:\.(c_action|c_a) \x30#f0(fcase =yes) [3008] string-match:http-req-uri:/?PageServices(fcase =yes) [3009] numerical-eq:portmapper-call-procedure:0xffffffff:1:no [3010] numerical-eq:portmapper-call-procedure:0xffffffff:2:no [3011] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00u\x00n\x00p\x00a\x00c\x00k\x00c\x00a\x00b\x00 (fcase =yes) [3012] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00u\x00n\x00p\x00a\x00c\x00k\x00c\x00a\x00b\x00 (fcase =yes) [3013] numerical-eq:pktsearch-cabrightstor-counter:0xffffffff:2:no [3014] string-match:irc-rsp-topic-msg-param:\x4b\x88\x23\xb8....\xff\xd0(fcase =no) [3015] string-match:irc-rsp-topic-msg-param:\x83\xc3\x04\x88\x23\xb8....\xff\xd0(fcase =no) [3016] string-match:irc-rsp-topic-msg-param:\xe8..\xff\xff(fcase =no) [3017] string-match:rlogin-server-data-text:\$ $(fcase =no) [3018] string-match:rlogin-server-data-text:\# $(fcase =no) [3019] string-match:rlogin-server-data-text:\% $(fcase =no) [3020] string-match:rlogin-server-data-text:\] $(fcase =no) [3021] unsigned-gt:http-req-uri-query-params-length:0xffffffff:120:no [3022] string-match:http-req-uri-path:gozilla.cgi(fcase =yes) [3023] string-match:http-req-uri-query-params:syspasswd(fcase =yes) [3024] string-match:http-req-uri-query-params:syspasswdconfig(fcase =yes) [3025] numerical-eq:dhcp-req-cf-bootfile-f4b:0xffffffff:0x90909090:no [3026] unsigned-gt:dhcp-req-cf-pktlen:0xffffffff:1000:no [3027] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:1991:no [3028] string-match:pktsearch-rsp-text:^\x1b\x5b\x32\x4a\x1b\x5b\x34\x30\x6d\x1b\x5b\x33\x37\x6dPitFall(fcase =no) [3029] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:11991:no [3030] string-match:pktsearch-rsp-text:^A01\x08A03PitFall (fcase =no) [3031] string-match:http-req-uri-path:php\.exe$(fcase =yes) [3032] string-match:http-req-uri-query-params:(c|d):\x5c(fcase =yes) [3033] string-match:smtp-mail-cmd-param:\x3a\x20\x22\x7c(fcase =no) [3034] string-match:http-req-uri-path:\.php(fcase =yes) [3035] string-match:http-req-uri-query-param-name:includedir(fcase =yes) [3036] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:10001:no [3037] string-match:pktsearch-req-text:^dtr\x06\x02(fcase =no) [3038] numerical-eq:h225-error-code:0xffffffff:DestinationEmailLengthAnomaly:no [3039] numerical-eq:pktsearch-udp-dst-port:0xffffffff:5882:no [3040] numerical-eq:pktsearch-udp-dst-port:0xffffffff:5888:no [3041] string-match:pktsearch-req-text:^Y3K(fcase =no) [3042] string-match:pktsearch-rsp-text:^con(fcase =no) [3043] string-match:pktsearch-req-text:^ftp(fcase =no) [3044] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:5880:no [3045] string-match:pktsearch-rsp-text:^host(fcase =no) [3046] string-match:pktsearch-req-text:^getclient(fcase =no) [3047] string-match:pktsearch-rsp-text:^thepwd(fcase =no) [3048] string-match:pktsearch-req-text:^thepwd(fcase =no) [3049] string-match:ftp-retr-cmd-param: |(fcase =no) [3050] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00u\x00p\x00d\x00a\x00t\x00e\x00c\x00o\x00l\x00v\x00b\x00m(fcase =yes) [3051] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00u\x00p\x00d\x00a\x00t\x00e\x00c\x00o\x00l\x00v\x00b\x00m(fcase =yes) [3052] string-match:http-req-uri-path:^///cgi-bin(fcase =no) [3053] string-match:ftp-rsp-text:Oracle XML DB(fcase =no) [3054] string-match:ftp-invalid-cmd-text:^UNLOCK(fcase =no) [3055] unsigned-gt:ftp-invalid-cmd-text-length:0xffffffff:800:no [3056] string-match:ftp-invalid-cmd-text:^TEST(fcase =no) [3057] unsigned-gt:ftp-user-cmd-param-length:0xffffffff:800:no [3058] string-match:smtp-SCR-message-body:jfs5kirbc34RHDlQYOQRVvqS(fcase =no) [3059] string-match:smtp-SCR-message-body:ADnU8LwJ+gXKWJKCyLFHjyEZ(fcase =no) [3060] string-match:smtp-EXE-message-body:jfs5kirbc34RHDlQYOQRVvqS(fcase =no) [3061] string-match:smtp-EXE-message-body:ADnU8LwJ+gXKWJKCyLFHjyEZ(fcase =no) [3062] string-match:smtp-COM-message-body:jfs5kirbc34RHDlQYOQRVvqS(fcase =no) [3063] string-match:smtp-COM-message-body:ADnU8LwJ+gXKWJKCyLFHjyEZ(fcase =no) [3064] string-match:smtp-CPL-message-body:jfs5kirbc34RHDlQYOQRVvqS(fcase =no) [3065] string-match:smtp-CPL-message-body:ADnU8LwJ+gXKWJKCyLFHjyEZ(fcase =no) [3066] string-match:smtp-VBS-message-body:121,51,106,116,43,80,7,7(fcase =no) [3067] string-match:smtp-VBS-message-body:68,90,145,73,242,127,60,(fcase =no) [3068] string-match:smtp-HTA-message-body:121,51,106,116,43,80,7,7(fcase =no) [3069] string-match:smtp-HTA-message-body:68,90,145,73,242,127,60,(fcase =no) [3070] string-match:pop3-SCR-message-body:jfs5kirbc34RHDlQYOQRVvqS(fcase =no) [3071] string-match:pop3-SCR-message-body:ADnU8LwJ+gXKWJKCyLFHjyEZ(fcase =no) [3072] string-match:pop3-EXE-message-body:jfs5kirbc34RHDlQYOQRVvqS(fcase =no) [3073] string-match:pop3-EXE-message-body:ADnU8LwJ+gXKWJKCyLFHjyEZ(fcase =no) [3074] string-match:pop3-COM-message-body:jfs5kirbc34RHDlQYOQRVvqS(fcase =no) [3075] string-match:pop3-COM-message-body:ADnU8LwJ+gXKWJKCyLFHjyEZ(fcase =no) [3076] string-match:pop3-CPL-message-body:jfs5kirbc34RHDlQYOQRVvqS(fcase =no) [3077] string-match:pop3-CPL-message-body:ADnU8LwJ+gXKWJKCyLFHjyEZ(fcase =no) [3078] string-match:pop3-VBS-message-body:121,51,106,116,43,80,7,7(fcase =no) [3079] string-match:pop3-VBS-message-body:68,90,145,73,242,127,60,(fcase =no) [3080] string-match:pop3-HTA-message-body:121,51,106,116,43,80,7,7(fcase =no) [3081] string-match:pop3-HTA-message-body:68,90,145,73,242,127,60,(fcase =no) [3082] string-match:imap-SCR-message-body:jfs5kirbc34RHDlQYOQRVvqS(fcase =no) [3083] string-match:imap-SCR-message-body:ADnU8LwJ+gXKWJKCyLFHjyEZ(fcase =no) [3084] string-match:imap-EXE-message-body:jfs5kirbc34RHDlQYOQRVvqS(fcase =no) [3085] string-match:imap-EXE-message-body:ADnU8LwJ+gXKWJKCyLFHjyEZ(fcase =no) [3086] string-match:imap-COM-message-body:jfs5kirbc34RHDlQYOQRVvqS(fcase =no) [3087] string-match:imap-COM-message-body:ADnU8LwJ+gXKWJKCyLFHjyEZ(fcase =no) [3088] string-match:imap-CPL-message-body:jfs5kirbc34RHDlQYOQRVvqS(fcase =no) [3089] string-match:imap-CPL-message-body:ADnU8LwJ+gXKWJKCyLFHjyEZ(fcase =no) [3090] string-match:imap-VBS-message-body:121,51,106,116,43,80,7,7(fcase =no) [3091] string-match:imap-VBS-message-body:68,90,145,73,242,127,60,(fcase =no) [3092] string-match:imap-HTA-message-body:121,51,106,116,43,80,7,7(fcase =no) [3093] string-match:imap-HTA-message-body:68,90,145,73,242,127,60,(fcase =no) [3094] string-match:http-req-uri-path:/viewtopic\.php(fcase =yes) [3095] string-match:http-req-uri-query-params:highlight=%2527(fcase =yes) [3096] numerical-eq:mysql-error-code:0xffffffff:V4_AUTH_BYPASS:no [3097] string-match:pktsearch-req-text:^R0X_(fcase =no) [3098] string-match:pktsearch-rsp-text:^R0X_STATUS\|(fcase =no) [3099] string-match:p2p-req-text:^R0X_(fcase =no) [3100] string-match:p2p-rsp-text:^R0X_STATUS\|(fcase =no) [3101] numerical-eq:http-error-code:0xffffffff:SMUGGLING_MULTIPLE_LENGTH_EXIST:no [3102] string-match:http-req-message-body:(GET|POST) (fcase =yes) [3103] numerical-eq:http-error-code:0xffffffff:SMUGGLING_LENGTH_CHUNK_EXIST:no [3104] string-match:http-req-header:\n\r\r\n(GET|Post) (fcase =yes) [3105] unsigned-gt:http-get-req-content-length:0xffffffff:0:no [3106] string-match:http-post-req-message-body:^(GET|POST) http://(fcase =yes) [3107] string-match:http-req-header:\n[ \t]\r\n(GET|POST) (fcase =yes) [3108] string-match:http-req-uri-path:%.%.%.%.%.%.%.%.(fcase =no) [3109] string-match:http-req-uri-path:[%$](h|hn)%(fcase =no) [3110] string-match:http-req-uri-path:dcforum/dcboard\.cgi$(fcase =yes) [3111] string-match:http-req-uri-query-param-name:(lastname|firstname)(fcase =yes) [3112] string-match:http-req-uri-query-param-value:\|admin(fcase =yes) [3113] string-match:rpc-call-data:\x3f\xfe\x82\x10\x20\x29\x91\xd0\x20\x08\xaa\x25\x7f\xff\x80\xa5(fcase =no) [3114] string-match:pktsearch-req-text:\x3f\xfe\x82\x10\x20\x29\x91\xd0\x20\x08\xaa\x25\x7f\xff\x80\xa5(fcase =no) [3115] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00r\x00e\x00p\x00l\x00_\x00e\x00n\x00c\x00r\x00y\x00p\x00t\x00 (fcase =yes) [3116] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00r\x00e\x00p\x00l\x00_\x00e\x00n\x00c\x00r\x00y\x00p\x00t\x00 (fcase =yes) [3117] unsigned-gt:tns-req-connect-data-text-len:0xffffffff:2000:no [3118] string-match:tns-req-connect-data-text:\(SERVICE(fcase =yes) [3119] unsigned-gt:telnet-client-login-env-counter:0xffffffff:60:no [3120] unsigned-gt:telnet-username-client-login-length:0xffffffff:128:no [3121] numerical-eq:netbios-ss-error-code:0xffffffff:MS05-027_SMB_OVERFLOW:no [3122] string-match:http-post-req-uri-path:\.htr(fcase =yes) [3123] numerical-eq:ident-client-shutdown:0xffffffff:1:no [3124] numerical-eq:ident-rsp-type:0xffffffff:1:no [3125] unsigned-lt:ident-valid-ident-req:0xffffffff:2:no [3126] unsigned-gt:ident-rsp-type:0xffffffff:2:no [3127] numerical-eq:ident-rsp-pkt-counter:0xffffffff:1:no [3128] string-match:http-req-uri-path:/index2\.php$(fcase =yes) [3129] string-match:http-req-uri-query-param-name:PHPSESSID(fcase =yes) [3130] string-match:pktsearch-rsp-text:^Basic Hell - \[ Server OK \](fcase =no) [3131] string-match:pktsearch-rsp-text:^\x0A\xCD\xEA\xB3\xC9(fcase =no) [3132] string-match:pktsearch-req-text:^\x0A\xCD\xEA\xB3\xC9(fcase =no) [3133] string-match:http-req-uri-path:whois_raw\.cgi$(fcase =no) [3134] string-match:http-req-uri-query-param-name:fqdn(fcase =yes) [3135] string-match:http-req-uri-query-param-value:^%0A(fcase =no) [3136] string-match:http-req-uri-query-param-value:^%0a(fcase =no) [3137] string-match:http-req-uri-path:webapp/admin/showjavartdetails\.jsp(fcase =no) [3138] string-match:http-req-uri-path:webapp/admin/showpooldetails\.jsp(fcase =no) [3139] string-match:telnet-client-data-text:\xFF\xFC\x18\xFF\xFD\x03\xFF\xFC\x23\xFF\xFC\x1F\xFF\xFC\x24\xFF\xFC\x27\xFF\xFD\x01\x04\x04\x04\x04\x04\x04(fcase =no) [3140] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:2255:no [3141] string-match:pktsearch-req-text:^\xac\xea\xac\xe2(fcase =no) [3142] string-match:pktsearch-req-text:^\xc7\xc300:00:00(fcase =no) [3143] string-match:pktsearch-req-text:^\xbd\x43\x3a\x5c(fcase =no) [3144] string-match:pktsearch-rsp-text:^\x3CNetSphere\x7C(fcase =no) [3145] string-match:pktsearch-req-text:^\x3CNick\x7C(fcase =no) [3146] string-match:pktsearch-rsp-text:^220 NetSphere Capture FTP\x0d\x0a(fcase =no) [3147] string-match:http-req-query-param-name:fname=|(fcase =yes) [3148] string-match:http-req-query-param-value:/(sbin|bin|usr|etc)/(fcase =yes) [3149] string-match:http-req-uri-path:infosrch\.cgi$(fcase =no) [3150] numerical-eq:snmp-dst-ip-err-code:0xffffffff:1:no [3151] unsigned-gt:snmp-trap-dst-ip-field-length:0xffffffff:4:no [3152] unsigned-gt:telnet-login-fail-counter:0xffffffff:0:no [3153] numerical-eq:dns-request-ancount:0xffffffff:1:no [3154] unsigned-gt:dns-request-answer-rdlength:0xffffffff:512:no [3155] string-match:http-req-uri-path:login_page\.php(fcase =yes) [3156] string-match:http-req-uri-path:core_html_API\.php(fcase =yes) [3157] string-match:http-req-uri-query-param-name:g_meta_include_file(fcase =yes) [3158] string-match:http-req-uri-query-param-name:g_css_include_file(fcase =yes) [3159] unsigned-in-range:wins-first-req-msg-len:0xffffffff:0x119:0xFFF::no [3160] string-match:smtp-rcpt-cmd-param:IMCEASMTP-(fcase =yes) [3161] unsigned-gt:ssl-v2-client-hello-chlg-len:0xffffffff:32:no [3162] string-match:pktsearch-req-text:^Computer(fcase =no) [3163] string-match:pktsearch-rsp-text:^Computer name:(fcase =no) [3164] string-match:pktsearch-req-text:^User(fcase =no) [3165] string-match:pktsearch-rsp-text:^Current User:(fcase =no) [3166] string-match:pktsearch-req-text:^WinInfo(fcase =no) [3167] string-match:pktsearch-rsp-text:^Major Version:(fcase =no) [3168] string-match:pktsearch-req-text:^\x30\x00\xFF\x08\x00(fcase =no) [3169] string-match:pktsearch-rsp-text:\x30\x00\xFF\x08\x00(fcase =no) [3170] string-match-ap:rsp-content-text:\x2A\x01..\x00.\x00\x00\x00\x01\x2A(fcase =no)(offset=0, depth=0) [3171] string-match-ap:req-content-text:\x2A\x01....\x00\x00\x00\x01\x2A(fcase =no)(offset=0, depth=0) [3172] string-match:http-req-host-header:aimexpress.aol.com(fcase =no) [3173] string-match:http-req-uri-path:/AOWPipeServlet.svc(fcase =no) [3174] string-match:http-req-content-type-header:AIM/HTTP(fcase =no) [3175] string-match:http-req-message-body:^\x2A\x01....\x00\x00\x00\x01(fcase =no) [3176] string-match:dns-rdata:\x0A\x68\x65\x6C\x70\x0A\x71\x75\x69\x74\x0A(fcase =no) [3177] string-match:dns-qname:\x0A\x68\x65\x6C\x70\x0A\x71\x75\x69\x74\x0A(fcase =no) [3178] string-match:dns-rr-name:\x0A\x68\x65\x6C\x70\x0A\x71\x75\x69\x74\x0A(fcase =no) [3179] string-match:snmp-msg:\x0A\x68\x65\x6C\x70\x0A\x71\x75\x69\x74\x0A(fcase =no) [3180] string-match:http-req-uri-path:/handler/(fcase =no) [3181] string-match:http-req-uri-path:|?(fcase =no) [3182] string-match:http-req-uri-path:| (fcase =no) [3183] string-match:http-req-uri-path:/(etc|sbin|bin|usr)/(fcase =no) [3184] string-match:http-req-uri-path:/admin_/help/\.\.(/|\\)\.\.(/|\\)\.\.(/|\\)(fcase =no) [3185] string-match:snmp-request-community-string-field:^%.%.%.%.%.%.(fcase =no) [3186] string-match:snmp-get-varbind-value-field:^%.%.%.%.%.%.(fcase =no) [3187] string-match:snmp-get-next-varbind-value-field:^%.%.%.%.%.%.(fcase =no) [3188] string-match:snmp-set-varbind-value-field:^%.%.%.%.%.%.(fcase =no) [3189] string-match:snmp-trap-varbind-value-field:^%.%.%.%.%.%.(fcase =no) [3190] string-match:snmp-v2-bulk-varbind-value-field:^%.%.%.%.%.%.(fcase =no) [3191] string-match:snmp-v2-trap-varbind-value-field:^%.%.%.%.%.%.(fcase =no) [3192] string-match:snmp-v2-inform-varbind-value-field:^%.%.%.%.%.%.(fcase =no) [3193] string-match:snmp-get-varbind-object-id-field:^%.%.%.%.%.%.(fcase =no) [3194] string-match:snmp-get-next-varbind-object-id-field:^%.%.%.%.%.%.(fcase =no) [3195] string-match:snmp-set-varbind-object-id-field:^%.%.%.%.%.%.(fcase =no) [3196] string-match:snmp-trap-varbind-object-id-field:^%.%.%.%.%.%.(fcase =no) [3197] string-match:snmp-v2-bulk-varbind-object-id-field:^%.%.%.%.%.%.(fcase =no) [3198] string-match:snmp-v2-trap-varbind-object-id-field:^%.%.%.%.%.%.(fcase =no) [3199] string-match:snmp-v2-inform-varbind-object-id-field:^%.%.%.%.%.%.(fcase =no) [3200] string-match:snmp-trap-enterprise-object-id-field:^%.%.%.%.%.%.(fcase =no) [3201] unsigned-gt:nntp-xpat-client-request-param-length:0xffffffff:512:no [3202] string-match:http-req-uri-path:phpix/(fcase =yes) [3203] string-match:http-req-uri-query-params:=`(fcase =yes) [3204] unsigned-gt:imap-status-cmd-param-length:0xffffffff:195:no [3205] string-match:http-req-uri-path:servlet(fcase =yes) [3206] string-match:http-req-uri-path:jsp(fcase =yes) [3207] string-match:smtp-content-type-message-header:message/external-body;(fcase =yes) [3208] string-match:smtp-content-type-message-header:\*3221225...\*(fcase =no) [3209] unsigned-gt:finger-redirect-counter:0xffffffff:0:no [3210] string-match:finger-client-data-text:localhost(fcase =no) [3211] string-match:finger-client-data-text:127\.0\.0\.1(fcase =no) [3212] string-match:finger-client-data-text:127\.1(fcase =no) [3213] string-match:telnet-client-environ-sb-param:_RLD(fcase =no) [3214] string-match:telnet-client-environ-sb-param:[cduxio]%(fcase =no) [3215] string-match:telnet-client-environ-sb-param:$(n|hn)%(fcase =no) [3216] unsigned-gt:telnet-client-environ-sb-param-length:0xffffffff:80:no [3217] string-match:telnet-client-environ-sb-param:c%11$hn%(fcase =no) [3218] string-match:telnet-client-environ-sb-param:c%12$hn(fcase =no) [3219] unsigned-gt:pktsearch-arkeia-req-len:0xffffffff:24:no [3220] string-match:pktsearch-arkeia-req-text:^\x00\x4d\x00\x03\x00\x01(fcase =no) [3221] unsigned-gt:pktsearch-arkeia-req-len:0xffffffff:255:no [3222] string-match:pktsearch-arkeia-req-text:^\x00\x54\x00\x03\x00\x01(fcase =no) [3223] unsigned-gt:ssl-length:0xffffffff:0xfffffffc:no [3224] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:9999:no [3225] string-match:pktsearch-req-text:^\xce\x63\xd1\xd2\x16\xe7\x13\xcf.\xa5\xa5\x86(fcase =no) [3226] string-match:backorifice-req-text:^\xce\x63\xd1\xd2\x16\xe7\x13\xcf.\xa5\xa5\x86(fcase =no) [3227] string-match:pktsearch-req-text:^\xce\x63\xd1\xd2\x16\xe7\x13\xcf(fcase =no) [3228] string-match:pktsearch-rsp-text:^\xce\x63\xd1\xd2\x16\xe7\x13\xcf(fcase =no) [3229] string-match:backorifice-req-text:^\xce\x63\xd1\xd2\x16\xe7\x13\xcf(fcase =no) [3230] string-match:backorifice-rsp-text:^\xce\x63\xd1\xd2\x16\xe7\x13\xcf(fcase =no) [3231] numerical-eq:pktsearch-bo-counter:0xffffffff:2:no [3232] numerical-eq:backorifice-bo-counter:0xffffffff:2:no [3233] numerical-eq:pktsearch-bo120-cnt:0xffffffff:2:no [3234] numerical-eq:backorifice-bo120-counter:0xffffffff:1:no [3235] numerical-eq:backorifice-bo120-counter:0xffffffff:2:no [3236] string-match:ftp-invalid-cmd-text:^id[\n; \t](fcase =no) [3237] string-match:ftp-invalid-cmd-text:[; \t/]id[\n; \t](fcase =no) [3238] string-match:ftp-before-rsp-code-rsp-text:uid=0\(root\).gid=(fcase =no) [3239] string-match:ftp-before-rsp-code-rsp-text:uid=.\(bin\).gid=(fcase =no) [3240] string-match:ftp-before-rsp-code-rsp-text:uid=.\(sys\).gid=(fcase =no) [3241] string-match:ftp-invalid-cmd-text:^whoami[\n; \t](fcase =no) [3242] string-match:ftp-invalid-cmd-text:[; \t/]whoami[\n; \t](fcase =no) [3243] string-match:ftp-before-rsp-code-rsp-text:root(fcase =no) [3244] string-match:ftp-before-rsp-code-rsp-text:bin(fcase =no) [3245] string-match:ftp-before-rsp-code-rsp-text:sys(fcase =no) [3246] string-match:ftp-invalid-cmd-text:^uname(fcase =no) [3247] string-match:ftp-invalid-cmd-text:^ls[\n ](fcase =no) [3248] string-match:ftp-invalid-cmd-text:^cd (fcase =no) [3249] string-match:ftp-invalid-cmd-text:^pwd(fcase =no) [3250] string-match:ftp-invalid-cmd-text:^mv (fcase =no) [3251] string-match:ftp-invalid-cmd-text:^cp (fcase =no) [3252] string-match:ftp-invalid-cmd-text:^rm(fcase =no) [3253] string-match:ftp-invalid-cmd-text:^cat (fcase =no) [3254] string-match:ftp-invalid-cmd-text:^echo (fcase =no) [3255] string-match:ftp-invalid-cmd-text:^gcc (fcase =no) [3256] string-match:http-req-uri-path:(\\|/)ExprCalc\.cfm(fcase =yes) [3257] string-match:http-req-query-param-name:OpenFilePath(fcase =yes) [3258] string-match:http-req-uri-path:expeval(\\|/)(fcase =yes) [3259] string-match:http-req-uri-path:(\\|/)openfile\.cfm(fcase =yes) [3260] string-match:http-req-uri-path:(\\|/)sendmail\.cfm$(fcase =yes) [3261] string-match:http-req-uri-path:snippets(\\|/)(fcase =yes) [3262] string-match:http-req-uri-path:(\\|/)evaluate\.cfm(fcase =yes) [3263] string-match:http-req-uri-path:cfdocs(\\|/)(fcase =yes) [3264] string-match:http-req-uri-path:(\\|/)mainframeset\.cfm(fcase =yes) [3265] unsigned-gt:pop3-xtnd-cmd-param-length:0xffffffff:512:no [3266] string-match:smtp-PIF-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3267] string-match:smtp-PIF-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3268] string-match:smtp-EXE-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3269] string-match:smtp-EXE-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3270] string-match:smtp-SCR-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3271] string-match:smtp-SCR-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3272] string-match:smtp-BAT-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3273] string-match:smtp-BAT-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3274] string-match:smtp-COM-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3275] string-match:smtp-COM-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3276] string-match:smtp-ZIP-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3277] string-match:smtp-ZIP-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3278] string-match:smtp-ZIP-message-body:Kl9fJk1NTkkvV2+6bV9TYX3f(fcase =no) [3279] string-match:smtp-ZIP-message-body:fC2UTKNVy2Ikod0nGwwfVR4V(fcase =no) [3280] string-match:smtp-ZIP-message-body:X18mTU1OSS9Xb7ptX1Nhfd98(fcase =no) [3281] string-match:smtp-ZIP-message-body:LZRMo1XLYiSh3ScbDB9VHhUc(fcase =no) [3282] string-match:pop3-PIF-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3283] string-match:pop3-PIF-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3284] string-match:pop3-EXE-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3285] string-match:pop3-EXE-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3286] string-match:pop3-SCR-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3287] string-match:pop3-SCR-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3288] string-match:pop3-BAT-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3289] string-match:pop3-BAT-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3290] string-match:pop3-COM-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3291] string-match:pop3-COM-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3292] string-match:pop3-ZIP-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3293] string-match:pop3-ZIP-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3294] string-match:pop3-ZIP-message-body:Kl9fJk1NTkkvV2+6bV9TYX3f(fcase =no) [3295] string-match:pop3-ZIP-message-body:fC2UTKNVy2Ikod0nGwwfVR4V(fcase =no) [3296] string-match:pop3-ZIP-message-body:X18mTU1OSS9Xb7ptX1Nhfd98(fcase =no) [3297] string-match:pop3-ZIP-message-body:LZRMo1XLYiSh3ScbDB9VHhUc(fcase =no) [3298] string-match:imap-PIF-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3299] string-match:imap-PIF-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3300] string-match:imap-EXE-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3301] string-match:imap-EXE-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3302] string-match:imap-SCR-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3303] string-match:imap-SCR-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3304] string-match:imap-BAT-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3305] string-match:imap-BAT-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3306] string-match:imap-COM-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3307] string-match:imap-COM-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3308] string-match:imap-ZIP-message-body:ICpfXyZNTU5JL1dvum1fU2F9(fcase =no) [3309] string-match:imap-ZIP-message-body:33wtlEyjVctiJKHdJxsMH1Ue(fcase =no) [3310] string-match:imap-ZIP-message-body:Kl9fJk1NTkkvV2+6bV9TYX3f(fcase =no) [3311] string-match:imap-ZIP-message-body:fC2UTKNVy2Ikod0nGwwfVR4V(fcase =no) [3312] string-match:imap-ZIP-message-body:X18mTU1OSS9Xb7ptX1Nhfd98(fcase =no) [3313] string-match:imap-ZIP-message-body:LZRMo1XLYiSh3ScbDB9VHhUc(fcase =no) [3314] string-match:smtp-EXE-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3315] string-match:smtp-EXE-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3316] string-match:smtp-PIF-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3317] string-match:smtp-PIF-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3318] string-match:smtp-SCR-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3319] string-match:smtp-SCR-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3320] string-match:smtp-BAT-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3321] string-match:smtp-BAT-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3322] string-match:smtp-COM-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3323] string-match:smtp-COM-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3324] string-match:smtp-ZIP-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3325] string-match:smtp-ZIP-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3326] string-match:smtp-ZIP-message-body:YcneYoNloy0DnbaEDRtC9387(fcase =no) [3327] string-match:smtp-ZIP-message-body:ue+9Y4mFQT0HZXsPCeF0H/V1(fcase =no) [3328] string-match:smtp-ZIP-message-body:yd5ig2WjLQOdtoQNG0L3fzu5(fcase =no) [3329] string-match:smtp-ZIP-message-body:771jiYVBPQdlew8J4XQf9XVX(fcase =no) [3330] string-match:pop3-EXE-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3331] string-match:pop3-EXE-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3332] string-match:pop3-PIF-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3333] string-match:pop3-PIF-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3334] string-match:pop3-SCR-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3335] string-match:pop3-SCR-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3336] string-match:pop3-BAT-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3337] string-match:pop3-BAT-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3338] string-match:pop3-COM-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3339] string-match:pop3-COM-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3340] string-match:pop3-ZIP-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3341] string-match:pop3-ZIP-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3342] string-match:pop3-ZIP-message-body:YcneYoNloy0DnbaEDRtC9387(fcase =no) [3343] string-match:pop3-ZIP-message-body:yd5ig2WjLQOdtoQNG0L3fzu5(fcase =no) [3344] string-match:pop3-ZIP-message-body:771jiYVBPQdlew8J4XQf9XVX(fcase =no) [3345] string-match:imap-EXE-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3346] string-match:imap-EXE-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3347] string-match:imap-PIF-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3348] string-match:imap-PIF-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3349] string-match:imap-SCR-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3350] string-match:imap-SCR-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3351] string-match:imap-BAT-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3352] string-match:imap-BAT-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3353] string-match:imap-COM-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3354] string-match:imap-COM-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3355] string-match:imap-ZIP-message-body:cGHJ3mKDZaMtA522hA0bQvd/(fcase =no) [3356] string-match:imap-ZIP-message-body:O7nvvWOJhUE9B2V7DwnhdB/1(fcase =no) [3357] string-match:imap-ZIP-message-body:YcneYoNloy0DnbaEDRtC9387(fcase =no) [3358] string-match:imap-ZIP-message-body:ue+9Y4mFQT0HZXsPCeF0H/V1(fcase =no) [3359] string-match:imap-ZIP-message-body:yd5ig2WjLQOdtoQNG0L3fzu5(fcase =no) [3360] string-match:imap-ZIP-message-body:771jiYVBPQdlew8J4XQf9XVX(fcase =no) [3361] string-match:http-req-uri-path:rpc-nlog\.pl(fcase =yes) [3362] string-match:http-req-uri-path:nlog-smb\.pl(fcase =yes) [3363] string-match:http-req-uri-query-param-name:;(cat|rm|cp)(fcase =no) [3364] string-match:smtp-message-body:\\\xff\\\xff\\\xff\\\xff\\\xff(fcase =no) [3365] string-match:smtp-message-header:\\\xff\\\xff\\\xff\\\xff\\\xff(fcase =no) [3366] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:41626:no [3367] string-match:pktsearch-rsp-text: SERVER 1\.0(fcase =no) [3368] string-match:http-req-uri-path:iisadmpwd(fcase =yes) [3369] string-match:http-req-uri-path:(\\|/)aexp(fcase =yes) [3370] unsigned-gt:pop3-pass-cmd-param-length:0xffffffff:200:no [3371] string-match:http-req-uri-path:Admin_files/order\.log(fcase =yes) [3372] string-match:netbios-ss-smb-tree_connect_andx-buffer:\\(CON|AUX|NUL|PRN|CLOCK\$|CONFIG\$|MOUSE|MSCD|SETVERXX)\x00(fcase =no) [3373] string-match:netbios-ss-smb-tree_connect_andx-buffer:\\(LPT|COM)[1-9]\x00(fcase =no) [3374] unsigned-gt:http-req-uri-path-length:0xffffffff:2000:no [3375] string-match:http-req-uri-path:(/|\\)foxweb\.dll(/|\\)(fcase =yes) [3376] string-match:irc-req-message:ntscan \x30#f0(fcase =yes) [3377] string-match:irc-req-message:dcom\.self(fcase =yes) [3378] string-match:irc-req-message:scan\.(start|stop)(fcase =yes) [3379] string-match:irc-req-message:(advscan|asc|xscan|xploit|adv\.start) (fcase =yes) [3380] string-match:irc-rsp-message:ntscan \x30#f0(fcase =yes) [3381] string-match:irc-rsp-message:dcom\.self(fcase =yes) [3382] string-match:irc-rsp-message:scan\.(start|stop)(fcase =yes) [3383] string-match:irc-rsp-message:\.(advscan|asc|xscan|xploit|adv\.start) (fcase =yes) [3384] string-match:pktsearch-req-text:^Czy\x9c\xe6(fcase =no) [3385] string-match:pktsearch-rsp-text:^Pol\xb9czono\.\.\.(fcase =no) [3386] string-match:ftp-pwd-cmd-param:%u%u%u%u%u%u%u%n(fcase =no) [3387] string-match:http-post-req-uri-path:(\\|/)formmail\.pl$(fcase =yes) [3388] string-match:http-post-req-message-body:recipient=(fcase =no) [3389] string-match:http-post-req-message-body:;(/bin/|/usr/|/sbin/|mail|sendmail|cat)(fcase =no) [3390] string-match:http-req-uri-path:(\\|/)formmail\.pl$(fcase =yes) [3391] string-match:http-req-uri-query-param-name:recipient(fcase =no) [3392] string-match:http-req-uri-query-param-value:;(/bin/|/usr/|/sbin/|mail|sendmail|cat)(fcase =no) [3393] string-match:pop3-user-cmd-param:\x3c\x18\x2f\x62\x37\x18\x69\x6e\x3c\x19\x2f\x73\x37\x39\x68\x2e\xaf\xb8\xff\xf8\xaf\xb9\xff\xfc\xa3\xa0\xff\xff\x27\xa4\xff\xf8\x27\xa5\xff\xf0\x01\x60\x30\x24\xaf\xa4\xff\xf0\xaf\xa0\xff\xf4\x24\x02\x04\x23\x03\xff\xff\xcc(fcase =no) [3394] string-match:pop3-rsp-text:UCB Pop server(fcase =no) [3395] string-match:pop3-invalid-cmd-text:\xff\xff/bin/sh(fcase =no) [3396] string-match:smtp-PIF-message-body:JtyEQ2khTGSHMjwQOHGBuy9F(fcase =no) [3397] string-match:smtp-PIF-message-body:nuhESCUnQTM1NAJiGRcSoeRD(fcase =no) [3398] string-match:pop3-PIF-message-body:JtyEQ2khTGSHMjwQOHGBuy9F(fcase =no) [3399] string-match:pop3-PIF-message-body:nuhESCUnQTM1NAJiGRcSoeRD(fcase =no) [3400] string-match:imap-PIF-message-body:JtyEQ2khTGSHMjwQOHGBuy9F(fcase =no) [3401] string-match:imap-PIF-message-body:nuhESCUnQTM1NAJiGRcSoeRD(fcase =no) [3402] string-match:http-req-uri-path:/guest\.cgi(fcase =yes) [3403] string-match:http-req-message-body-query-param-name:mailprog(fcase =yes) [3404] string-match:http-req-message-body-query-param-name:date_command(fcase =yes) [3405] string-match:pktsearch-req-text:^menu(fcase =no) [3406] string-match:pktsearch-req-text:^glos(fcase =no) [3407] string-match:pktsearch-rsp-text:^NaZWA UZYTKOWNIKA(fcase =no) [3408] numerical-eq:h225-error-code:0xffffffff:DestinationSequenceAnomaly:no [3409] string-match:ftp-stat-cmd-param:\n200 (fcase =no) [3410] string-match:ftp-stat-cmd-param:\n227 (fcase =no) [3411] string-match:http-req-uri-path:(/|\\)(perl|python|ruby)$(fcase =no) [3412] string-match:http-req-uri-path:(\\|/)sh$(fcase =no) [3413] string-match:http-req-uri-path:(\\|/)ash$(fcase =no) [3414] string-match:http-req-uri-path:(\\|/)bash$(fcase =no) [3415] string-match:http-req-uri-path:(\\|/)csh$(fcase =no) [3416] string-match:http-req-uri-path:(\\|/)ksh$(fcase =no) [3417] string-match:http-req-uri-path:(\\|/)tcsh$(fcase =no) [3418] string-match:http-req-uri-path:(\\|/)zsh$(fcase =no) [3419] string-match:http-req-uri-path:(\\|/)rsh$(fcase =no) [3420] string-match:http-req-uri-path:(\\|/)rksh$(fcase =no) [3421] string-match:tns-req-data-data-text:UTL_FILE\.(FOPEN|FRENAME|FREMOVE)(fcase =no) [3422] string-match:tns-req-data-data-text:(/|\\)\.(/|\\)\.\.(/|\\)(fcase =no) [3423] string-match:smtp-EXE-message-body:7cOiRK3LBcIAqCikpogQeMhX(fcase =no) [3424] string-match:smtp-EXE-message-body:7+OypJ8kRHFAkBAUX+3S1C9t(fcase =no) [3425] string-match:smtp-SCR-message-body:7cOiRK3LBcIAqCikpogQeMhX(fcase =no) [3426] string-match:smtp-SCR-message-body:7+OypJ8kRHFAkBAUX+3S1C9t(fcase =no) [3427] string-match:smtp-COM-message-body:7cOiRK3LBcIAqCikpogQeMhX(fcase =no) [3428] string-match:smtp-COM-message-body:7+OypJ8kRHFAkBAUX+3S1C9t(fcase =no) [3429] string-match:pop3-EXE-message-body:7cOiRK3LBcIAqCikpogQeMhX(fcase =no) [3430] string-match:pop3-EXE-message-body:7+OypJ8kRHFAkBAUX+3S1C9t(fcase =no) [3431] string-match:pop3-SCR-message-body:7cOiRK3LBcIAqCikpogQeMhX(fcase =no) [3432] string-match:pop3-SCR-message-body:7+OypJ8kRHFAkBAUX+3S1C9t(fcase =no) [3433] string-match:pop3-COM-message-body:7cOiRK3LBcIAqCikpogQeMhX(fcase =no) [3434] string-match:pop3-COM-message-body:7+OypJ8kRHFAkBAUX+3S1C9t(fcase =no) [3435] string-match:imap-EXE-message-body:7cOiRK3LBcIAqCikpogQeMhX(fcase =no) [3436] string-match:imap-EXE-message-body:7+OypJ8kRHFAkBAUX+3S1C9t(fcase =no) [3437] string-match:imap-SCR-message-body:7cOiRK3LBcIAqCikpogQeMhX(fcase =no) [3438] string-match:imap-SCR-message-body:7+OypJ8kRHFAkBAUX+3S1C9t(fcase =no) [3439] string-match:imap-COM-message-body:7cOiRK3LBcIAqCikpogQeMhX(fcase =no) [3440] string-match:imap-COM-message-body:7+OypJ8kRHFAkBAUX+3S1C9t(fcase =no) [3441] string-match:mysql-req-query-payload:insert into(fcase =yes) [3442] string-match:mysql-req-query-payload:\x37\x66\x34\x35\x34\x63\x34\x36(fcase =no) [3443] string-match:mysql-req-query-payload:create function(fcase =yes) [3444] string-match:mysql-req-query-payload:libc\.so\.6(fcase =yes) [3445] string-match:mysql-req-query-payload:\xb0\x0b\xcd\x80(fcase =no) [3446] numerical-eq:pktsearch-udp-dst-port:0xffffffff:40666:no [3447] string-match:pktsearch-req-text:^ - PONG! - v1\.0 Ready!(fcase =no) [3448] string-match:pktsearch-req-text:^0x100(fcase =no) [3449] string-match:pktsearch-req-text:^0xF800(fcase =no) [3450] numerical-eq:pktsearch-udp-dst-port:0xffffffff:41666:no [3451] unsigned-gt:imap-unsubscribe-cmd-param-length:0xffffffff:1024:no [3452] string-match:netbios-ss-smb-namepipe-CI_SKADS-buffer:\x90\x90\x90\x90\x90(fcase =no) [3453] string-match:netbios-ss-smb-namepipe-CI_SKADS-buffer:\xe8\x80#80\xff\xff\xff(fcase =no) [3454] string-match:http-req-uri-path:viewexample\.cfm$(fcase =yes) [3455] string-match:http-req-uri-query-param-name:Tagname(fcase =yes) [3456] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:30029:no [3457] string-match:pktsearch-req-text:^INFO(fcase =no) [3458] string-match:pktsearch-rsp-text:^AOL Admin Server(fcase =no) [3459] string-match:pktsearch-rsp-text:^ANSWER OK (fcase =no) [3460] string-match:pktsearch-trin00-d2m-req-text:PONG(fcase =no) [3461] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00s\x00q\x00l\x00i\x00n\x00v\x00e\x00n\x00t\x00o\x00r\x00y\x00 (fcase =yes) [3462] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00s\x00q\x00l\x00i\x00n\x00v\x00e\x00n\x00t\x00o\x00r\x00y\x00 (fcase =yes) [3463] string-match:smtp-PIF-message-body:x7tscbmaToDQATpSxaLRwOmf(fcase =no) [3464] string-match:smtp-PIF-message-body:VxJh+79fv5J0Sd2pgs4iyWCr(fcase =no) [3465] string-match:telnet-client-login:\x0a\xf7\x02\x97(fcase =no) [3466] string-match:telnet-client-login:\x0b\x18\x02\x98(fcase =no) [3467] string-match:telnet-client-login:\x0b\x39\x02\x99(fcase =no) [3468] string-match:telnet-client-login:\x0b\x5a\x02\x9a(fcase =no) [3469] string-match:telnet-client-login:\x20\x20\x08\x01(fcase =no) [3470] string-match:telnet-client-login:\xe4\x20\xe0\x08(fcase =no) [3471] string-match:telnet-client-login:\x24\x02\x04\x53(fcase =no) [3472] string-match:telnet-client-login:\x24\x02\x03\xf3(fcase =no) [3473] string-match:telnet-client-login:\x24\x02\x04\x25(fcase =no) [3474] string-match:telnet-client-login:\x24\x02\x03\xee(fcase =no) [3475] string-match:telnet-client-login:\x24\x02\x03\xeb(fcase =no) [3476] string-match:telnet-client-login:\x03\xff\xff\xcc(fcase =no) [3477] string-match:telnet-client-login:\x02..\x0c(fcase =no) [3478] string-match:telnet-client-login:\x01\x01\x01\x0c(fcase =no) [3479] string-match:telnet-client-login:\x13\x74\xf0\x47(fcase =no) [3480] string-match:telnet-client-login:\x12\x74\xf0\x47(fcase =no) [3481] string-match:telnet-client-login:\x11\x74\xf0\x47(fcase =no) [3482] string-match:telnet-client-login:/bin/sh(fcase =no) [3483] string-match:telnet-client-login:\xff\xff\xff\xed\xff\x1f\xd2/bin(fcase =no) [3484] string-match:telnet-client-login:\xff\x7e\xb2\x13\x94\xe7\x43\x20\x35\x60\x42(fcase =no) [3485] string-match:telnet-client-login:h....X5....H..PP..PPa(fcase =no) [3486] string-match:telnet-client-login:-....-....-....PQX-....-....-....PQX(fcase =no) [3487] string-match:telnet-client-login:-....-....PQX-....-....PQX(fcase =no) [3488] string-match:telnet-client-login:\x80\x30.\x40\xe2\xfa(fcase =no) [3489] string-match:telnet-client-login:\xac\x34.\xaa\xe2\xfa(fcase =no) [3490] string-match:telnet-client-login:\x2C\x61\x90\x50\x59\x66\xAD\x90(fcase =no) [3491] string-match:telnet-client-login:\xac\x2c.\xaa\xe2\xf5(fcase =no) [3492] string-match:telnet-client-login:\x9a\xff\xff\xff\xff\x07\xff(fcase =no) [3493] string-match:telnet-client-login:\xaa\x10\x10\x10\x10\x17\x10(fcase =no) [3494] string-match:telnet-client-login:\x9a\x01\x02\x03\x5c\x07\x04(fcase =no) [3495] string-match:telnet-client-login:\x9a\x04\x04\x04\x04\x07\x04(fcase =no) [3496] string-match:telnet-client-login:\x9a\x24\x24\x24\x24\x07\x24(fcase =no) [3497] string-match:http-req-uri-path:(/|\\)httpodbc\.dll(fcase =yes) [3498] unsigned-gt:smtp-expn-cmd-param-length:0xffffffff:1000:no [3499] string-match:http-req-uri-path:poster/$(fcase =yes) [3500] string-match:http-req-uri-query-params:go=setup_submit(fcase =yes) [3501] string-match:http-req-uri-query-params:un=(fcase =yes) [3502] string-match:pktsearch-rsp-text:^\xFF\xFE\x01\xFF\xF0\x20\x2D\x2D\x2D(fcase =no) [3503] string-match:pktsearch-rsp-text:\x2D\x0D\x0A\x20SoftEther Virtual HUB Administration Console(fcase =no) [3504] string-match:icmp-echo-payload:SoftEther Keep-Alive Packet(fcase =no) [3505] string-match:pktsearch-req-text:SoftEther Protocol(fcase =no) [3506] string-match:pktsearch-req-text:^\x80\x2F\x01\x03\x01\x00\x06\x00\x00\x00\x20\x00\x00\x04\x01\x00\x80(fcase =no) [3507] string-match:pktsearch-rsp-text:^\x16\x03\x01\x00\x4a\x02(fcase =no) [3508] numerical-eq:pktsearch-udp-dst-port:0xffffffff:666:no [3509] numerical-eq:pktsearch-udp-dst-port:0xffffffff:1042:no [3510] string-match:pktsearch-req-text:Bla Ver [12345]\x2eo.(fcase =no) [3511] unsigned-gt:rpc-call-data-len:0xffffffff:500:no [3512] string-match:http-req-uri-path:\.asp\.$(fcase =yes) [3513] string-match:http-req-uri-path:(\\|/)aglimpse(fcase =yes) [3514] string-match:http-req-uri:\|IFS=.;CMD=(fcase =yes) [3515] string-match:http-req-uri:;eval\$CMD;(fcase =yes) [3516] string-match:http-req-uri-path:/isqlplus(fcase =no) [3517] unsigned-gt:http-req-uri-query-param-value-length:0xffffffff:255:no [3518] string-match:http-req-uri-query-param-name:username(fcase =no) [3519] string-match:http-req-uri-query-param-name:privilege(fcase =no) [3520] string-match:http-req-uri-query-param-name:sid(fcase =no) [3521] string-match:http-req-uri-query-param-name:password(fcase =no) [3522] string-match:http-req-uri-query-param-name:action(fcase =no) [3523] string-match:http-post-req-uri-path:/isqlplus(fcase =no) [3524] unsigned-gt:http-post-req-uri-query-param-value-length:0xffffffff:2500:no [3525] string-match:http-post-req-uri-query-param-name:username(fcase =no) [3526] unsigned-gt:http-post-req-message-body-length:0xffffffff:2500:no [3527] string-match:http-post-req-message-body:action=(fcase =no) [3528] string-match:http-post-req-message-body:password=(fcase =no) [3529] string-match:http-post-req-message-body:username=(fcase =no) [3530] string-match:http-post-req-message-body:privilege=(fcase =no) [3531] string-match:http-post-req-message-body:sid=(fcase =no) [3532] string-match:pop3-user-cmd-param:\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa(fcase =no) [3533] string-match:pop3-user-cmd-param:\xff\xff/bin/sh\xff(fcase =no) [3534] string-match:pop3-user-cmd-param:\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4(fcase =no) [3535] string-match:pop3-user-cmd-param:\xe8\xc6\xff\xff\xff/bin/sh(fcase =no) [3536] string-match:smtp-PIF-message-body:rTOZZkXcovXPEbcM55nTk//T(fcase =no) [3537] string-match:smtp-PIF-message-body:DYBLpAg6BQBEb2Vya7YQ2xat(fcase =no) [3538] string-match:smtp-ZIP-message-body:rTOZZkXcovXPEbcM55nTk//T(fcase =no) [3539] string-match:smtp-ZIP-message-body:DYBLpAg6BQBEb2Vya7YQ2xat(fcase =no) [3540] string-match:smtp-ZIP-message-body:M5lmRdyi9c8RtwznmdOT/9MN(fcase =no) [3541] string-match:smtp-ZIP-message-body:gEukCDoFAERvZXJrthDbFq0Z(fcase =no) [3542] string-match:smtp-ZIP-message-body:mWZF3KL1zxG3DOeZ05P/0w2A(fcase =no) [3543] string-match:smtp-ZIP-message-body:S6QIOgUARG9lcmu2ENsWrRmJ(fcase =no) [3544] string-match:pop3-PIF-message-body:rTOZZkXcovXPEbcM55nTk//T(fcase =no) [3545] string-match:pop3-PIF-message-body:DYBLpAg6BQBEb2Vya7YQ2xat(fcase =no) [3546] string-match:pop3-ZIP-message-body:rTOZZkXcovXPEbcM55nTk//T(fcase =no) [3547] string-match:pop3-ZIP-message-body:DYBLpAg6BQBEb2Vya7YQ2xat(fcase =no) [3548] string-match:pop3-ZIP-message-body:M5lmRdyi9c8RtwznmdOT/9MN(fcase =no) [3549] string-match:pop3-ZIP-message-body:gEukCDoFAERvZXJrthDbFq0Z(fcase =no) [3550] string-match:pop3-ZIP-message-body:mWZF3KL1zxG3DOeZ05P/0w2A(fcase =no) [3551] string-match:pop3-ZIP-message-body:S6QIOgUARG9lcmu2ENsWrRmJ(fcase =no) [3552] string-match:imap-PIF-message-body:rTOZZkXcovXPEbcM55nTk//T(fcase =no) [3553] string-match:imap-PIF-message-body:DYBLpAg6BQBEb2Vya7YQ2xat(fcase =no) [3554] string-match:imap-ZIP-message-body:rTOZZkXcovXPEbcM55nTk//T(fcase =no) [3555] string-match:imap-ZIP-message-body:DYBLpAg6BQBEb2Vya7YQ2xat(fcase =no) [3556] string-match:imap-ZIP-message-body:M5lmRdyi9c8RtwznmdOT/9MN(fcase =no) [3557] string-match:imap-ZIP-message-body:gEukCDoFAERvZXJrthDbFq0Z(fcase =no) [3558] string-match:imap-ZIP-message-body:mWZF3KL1zxG3DOeZ05P/0w2A(fcase =no) [3559] string-match:imap-ZIP-message-body:S6QIOgUARG9lcmu2ENsWrRmJ(fcase =no) [3560] string-match:telnet-server-data-text:\xFF\xFA\x25\x01\x02\x00\xFF\xF0(fcase =no) [3561] string-match:telnet-server-data-text:\xFF\xFA\x25\x01\x03\x00\xFF\xF0(fcase =no) [3562] string-match:telnet-server-data-text:\xFF\xFA\x25\x01\x04\x00\xFF\xF0(fcase =no) [3563] string-match:telnet-server-data-text:\xFF\xFA\x25\x01\x05\x00\xFF\xF0(fcase =no) [3564] string-match:telnet-server-data-text:\xFF\xFA\x25\x01\x06\x00\xFF\xF0(fcase =no) [3565] string-match:telnet-server-data-text:\xFF\xFA\x25\x01\x07\x00\xFF\xF0(fcase =no) [3566] string-match:telnet-server-data-text:\xFF\xFA\x25\x01\x0a\x00\xFF\xF0(fcase =no) [3567] string-match:telnet-server-data-text:\xFF\xFA\x25\x01\x0b\x00\xFF\xF0(fcase =no) [3568] string-match:telnet-server-data-text:\xFF\xFA\x25\x01\x0c\x00\xFF\xF0(fcase =no) [3569] string-match:telnet-server-data-text:\xFF\xFA\x25\x01\x0d\x00\xFF\xF0(fcase =no) [3570] string-match:telnet-server-data-text:\xFF\xFA\x25\x01\x0e\x00\xFF\xF0(fcase =no) [3571] string-match:telnet-client-authentication-sb-param:^\x00\x0F\x00(fcase =no) [3572] string-match:telnet-client-authentication-sb-param:\x4E\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00(fcase =no) [3573] string-match:telnet-client-authentication-sb-param:^\x00\x0F(fcase =no) [3574] string-match:telnet-client-authentication-sb-param:\x4E\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x12\x00\x12(fcase =no) [3575] numerical-eq:pktsearch-rsp-1st-4b:0xFFFF0000:0x30320000:no [3576] string-match:netbios-ss-smb-OPEN-filename:d\x00e\x00s\x00k\x00t\x00o\x00p\x00\.\x00i\x00n\x00i\x00(fcase =yes) [3577] unsigned-gt:netbios-ss-smb-rsp-read_andx-bytecount:0xffffffff:3000:no [3578] string-match:netbios-ss-smb-rsp-read_andx-buffer:\x5b\x00\.\x00S\x00h\x00e\x00l\x00l\x00C\x00l\x00a\x00s\x00s\x00I\x00n\x00f\x00o\x00\x5d\x00(fcase =yes) [3579] string-match:netbios-ss-smb-rsp-read_andx-buffer:\x00KERNEL32\x00(fcase =yes) [3580] string-match:netbios-ss-smb-rsp-read_andx-buffer:\xcc\x59\xfb\x77(fcase =yes) [3581] string-match:pktsearch-req-text:%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..(fcase =no) [3582] numerical-eq:rpc-call-prognum:0xffffffff:100300:no [3583] numerical-eq:rpc-call-procedure:0xffffffff:22:no [3584] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00r\x00e\x00g\x00(fcase =yes) [3585] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00r\x00e\x00g\x00(fcase =yes) [3586] unsigned-gt:snmp-version-msg-qllength:0xffffffff:4:no [3587] unsigned-gt:snmp-version-length-of-length:0xffffffff:2:no [3588] string-match:ssh-req-text:SSH-2.0-GOBBLES(fcase =no) [3589] string-match:ssh-rsp-text:*GOBBLE*(fcase =no) [3590] string-match:ssh-req-text:id[\n; \t](fcase =no) [3591] string-match:ssh-rsp-text:uid=0\(root\).gid=(fcase =no) [3592] string-match:ssh-rsp-text:uid=.\(bin\).gid=(fcase =no) [3593] string-match:ssh-rsp-text:uid=.\(sys\).gid=(fcase =no) [3594] string-match:ssh-req-text:hostname(fcase =no) [3595] string-match:ssh-req-text:ifconfig(fcase =no) [3596] string-match:http-req-uri-query-param-name:NS-rel-doc-name(fcase =yes) [3597] string-match:http-req-query-params:ul=(fcase =yes) [3598] string-match:http-req-query-param-name:tmplt(fcase =yes) [3599] unsigned-gt:http-req-query-param-value-length:0xffffffff:1024:no [3600] string-match:http-req-uri-path:search\.cgi(fcase =yes) [3601] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:650:no [3602] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:6272:no [3603] string-match:pktsearch-rsp-text:^220 ICS FTP Server ready\.(fcase =no) [3604] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:14286:no [3605] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:14285:no [3606] string-match:icmp-echo-reply-payload:\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41(fcase =no) [3607] unsigned-gt:http-req-uri-path-length:0xffffffff:1000:no [3608] string-match:http-req-uri-path:/admin_/help/(fcase =no) [3609] string-match:http-req-uri-path:(\\|/)code\.php3(fcase =no) [3610] string-match:smtp-SCR-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3611] string-match:smtp-SCR-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3612] string-match:smtp-PIF-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3613] string-match:smtp-PIF-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3614] string-match:smtp-CMD-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3615] string-match:smtp-CMD-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3616] string-match:smtp-EXE-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3617] string-match:smtp-EXE-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3618] string-match:smtp-BAT-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3619] string-match:smtp-BAT-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3620] string-match:pop3-SCR-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3621] string-match:pop3-SCR-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3622] string-match:pop3-PIF-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3623] string-match:pop3-PIF-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3624] string-match:pop3-CMD-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3625] string-match:pop3-CMD-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3626] string-match:pop3-EXE-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3627] string-match:pop3-EXE-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3628] string-match:pop3-BAT-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3629] string-match:pop3-BAT-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3630] string-match:imap-SCR-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3631] string-match:imap-SCR-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3632] string-match:imap-PIF-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3633] string-match:imap-PIF-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3634] string-match:imap-CMD-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3635] string-match:imap-CMD-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3636] string-match:imap-EXE-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3637] string-match:imap-EXE-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3638] string-match:imap-BAT-message-body:ApIAUCZKAEAD/bJpmiwQBPQl(fcase =no) [3639] string-match:imap-BAT-message-body:6AEAS85pmm7ZH8gqwAO4sKim(fcase =no) [3640] string-match:smtp-ZIP-message-body:Jx+eAFgAAABY(fcase =no) [3641] string-match:pop3-ZIP-message-body:Jx+eAFgAAABY(fcase =no) [3642] string-match:imap-ZIP-message-body:Jx+eAFgAAABY(fcase =no) [3643] string-match:http-req-uri-path:cart32\.exe/cart32clientlist(fcase =yes) [3644] string-match-ap:req-content-text:(\xE3|\xC5|\xD4).\x00\x00\x00(fcase =no)(offset=0, depth=0) [3645] string-match-ap:rsp-content-text:\xE3.\x00\x00\x00\x59(fcase =no) [3646] string-match:pktsearch-req-text:GET\r\n\r\n\r\n\r\n\r\n\r\n(fcase =no) [3647] string-match:pktsearch-req-text:GET\n\n\n\n\n\n(fcase =no) [3648] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:9090:no [3649] string-match:telnet-client-data-text:\xCD\x80(fcase =no) [3650] string-match:telnet-client-data-text:(\xFF\xFB\xAA){4}(fcase =no) [3651] unsigned-gt:http-webdav-propfind-req-content-length:0xffffffff:49152:no [3652] unsigned-gt:http-webdav-search-req-content-length:0xffffffff:12200:no [3653] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:31785:no [3654] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:31388:no [3655] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:31790:no [3656] numerical-eq:pktsearch-udp-dst-port:0xffffffff:31789:no [3657] numerical-eq:pktsearch-udp-dst-port:0xffffffff:31791:no [3658] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:31792:no [3659] string-match:pktsearch-req-text:^general(fcase =no) [3660] string-match:ftp-site-cmd-param:NEWER(fcase =yes) [3661] string-match:smtp-ZIP-message-body:MKB33zAFTDFMdHW8MiXp6Ntp(fcase =no) [3662] string-match:smtp-ZIP-message-body:g401bAWVAVW1o/HdObZM160X(fcase =no) [3663] string-match:smtp-ZIP-message-body:oHffMAVMMUx0dbwyJeno22mD(fcase =no) [3664] string-match:smtp-ZIP-message-body:jTVsBZUBVbWj8d05tkzXrRcv(fcase =no) [3665] string-match:smtp-ZIP-message-body:d98wBUwxTHR1vDIl6ejbaYON(fcase =no) [3666] string-match:smtp-ZIP-message-body:NWwFlQFVtaPx3Tm2TNetFy+x(fcase =no) [3667] string-match:imap-ZIP-message-body:MKB33zAFTDFMdHW8MiXp6Ntp(fcase =no) [3668] string-match:imap-ZIP-message-body:g401bAWVAVW1o/HdObZM160X(fcase =no) [3669] string-match:imap-ZIP-message-body:oHffMAVMMUx0dbwyJeno22mD(fcase =no) [3670] string-match:imap-ZIP-message-body:jTVsBZUBVbWj8d05tkzXrRcv(fcase =no) [3671] string-match:imap-ZIP-message-body:d98wBUwxTHR1vDIl6ejbaYON(fcase =no) [3672] string-match:imap-ZIP-message-body:NWwFlQFVtaPx3Tm2TNetFy+x(fcase =no) [3673] string-match:pop3-ZIP-message-body:MKB33zAFTDFMdHW8MiXp6Ntp(fcase =no) [3674] string-match:pop3-ZIP-message-body:g401bAWVAVW1o/HdObZM160X(fcase =no) [3675] string-match:pop3-ZIP-message-body:oHffMAVMMUx0dbwyJeno22mD(fcase =no) [3676] string-match:pop3-ZIP-message-body:jTVsBZUBVbWj8d05tkzXrRcv(fcase =no) [3677] string-match:pop3-ZIP-message-body:d98wBUwxTHR1vDIl6ejbaYON(fcase =no) [3678] string-match:pop3-ZIP-message-body:NWwFlQFVtaPx3Tm2TNetFy+x(fcase =no) [3679] string-match:pktsearch-rsp-text:^Michal 5\.00(fcase =no) [3680] string-match:pktsearch-rsp-text:^\x28\x00\x00\x00(fcase =no) [3681] string-match:pktsearch-rsp-text:^\x29\x00\x00\x00(fcase =no) [3682] string-match:pktsearch-req-text:^\x27\x00\x00\x00..\x4b\x61\x5a\x61\x41\x00(fcase =no) [3683] string-match:pktsearch-req-text:^\x27\x00\x00\x00..Grokster\x00(fcase =no) [3684] string-match:pktsearch-req-text:^\x27\x00\x00\x00..MusicCity\x00(fcase =no) [3685] string-match:pktsearch-req-text:^\x27\x00\x00\x00..fileshare\x00(fcase =no) [3686] string-match:ftp-rsp-text:^FTP Server ready \[(fcase =no) [3687] string-match:ftp-cwd-cmd-param:\. (fcase =no) [3688] string-match:ftp-cwd-cmd-param:/\.\./(fcase =no) [3689] string-match:ftp-list-cmd-param:/\.\./(fcase =no) [3690] string-match:ftp-nlst-cmd-param:/\.\./(fcase =no) [3691] string-match:ftp-retr-cmd-param:\\BrokerProfiles\.Dat(fcase =no) [3692] unsigned-gt:ftp-user-cmd-param-length:0xffffffff:2850:no [3693] unsigned-gt:http-req-uri-path-length:0xffffffff:198:no [3694] string-match:http-req-uri-path:\.shtml$(fcase =no) [3695] unsigned-gt:rexec-username-client-login-length:0xffffffff:128:no [3696] unsigned-gt:rexec-client-handshake-serveruser-text-length:0xffffffff:128:no [3697] string-match:http-req-uri-path:(\\|/)showcode\.asp$(fcase =yes) [3698] string-match:http-req-uri-path:(\\|/)codebrws\.asp$(fcase =yes) [3699] string-match:http-req-uri-path:(\\|/)winmsdp\.exe$(fcase =yes) [3700] string-match:snmp-get-varbind-object-id-field:^\x2b\x06\x01\x04\x01\x2b\x0a\x04\x02(fcase =no) [3701] string-match:snmp-get-next-varbind-object-id-field:^\x2b\x06\x01\x04\x01\x2b\x0a\x04\x02(fcase =no) [3702] string-match:snmp-set-varbind-object-id-field:^\x2b\x06\x01\x04\x01\x2b\x0a\x04\x02(fcase =no) [3703] string-match:snmp-v2-bulk-varbind-object-id-field:^\x2b\x06\x01\x04\x01\x2b\x0a\x04\x02(fcase =no) [3704] string-match:netbios-ss-dcerpc-req-LOCATOR-request-payload:/\x00\.\x00\.\x00\.\x00(fcase =no) [3705] string-match:netbios-ss-dcerpc-req-LOCATOR-request-payload:/\x00\.\x00:\x00(fcase =no) [3706] numerical-eq:netbios-ss-dcerpc-req-LOCATOR-request-op-num:0xffffffff:0:no [3707] unsigned-gt:netbios-ss-dcerpc-req-LOCATOR-request-frag-length:0xffffffff:0xeb:no [3708] string-match:netbios-ss-smb-tree_connect_andx-buffer:ADMIN\$(fcase =yes) [3709] string-match:netbios-ss-smb-tree_connect_andx-buffer:\\\x00A\x00D\x00M\x00I\x00N\x00\$(fcase =yes) [3710] numerical-eq:netbios-ss-tree_connect_andx-smb-param-password-length:0xffffffff:1:no [3711] string-match:http-req-uri-path:/boozt/(fcase =no) [3712] unsigned-gt:http-req-message-body-query-param-value-length:0xffffffff:1500:no [3713] string-match:http-req-uri-path:/index\.cgi(fcase =no) [3714] string-match:pktsearch-rsp-text:^HTTP V 1\.01 Enter request !(fcase =no) [3715] string-match:pktsearch-rsp-text:^Password Accepted !(fcase =no) [3716] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:48:no [3717] string-match:ftp-site-cmd-param:%x %x %x %x +%x \|%x(fcase =no) [3718] string-match:ftp-site-cmd-param:%020d\|%\.f%\.f\|(fcase =no) [3719] string-match:pktsearch-shaft-h2a-req-text:alive tijgu(fcase =no) [3720] string-match:smtp-PIF-message-body:gDu+4N2GfLiPElxZdA1KVlmy(fcase =no) [3721] string-match:smtp-PIF-message-body:hc5vWVuGDEZnYzfjWVPdXYv4(fcase =no) [3722] string-match:pop3-PIF-message-body:gDu+4N2GfLiPElxZdA1KVlmy(fcase =no) [3723] string-match:pop3-PIF-message-body:hc5vWVuGDEZnYzfjWVPdXYv4(fcase =no) [3724] string-match:imap-PIF-message-body:gDu+4N2GfLiPElxZdA1KVlmy(fcase =no) [3725] string-match:imap-PIF-message-body:hc5vWVuGDEZnYzfjWVPdXYv4(fcase =no) [3726] unsigned-gt:dhcp-cf-option-len:0xffffffff:128:no [3727] numerical-eq:radius-accouting-request-length:0xffffffff:1024:no [3728] numerical-eq:radius-accouting-request-length:0xffffffff:2048:no [3729] numerical-eq:radius-accouting-request-length:0xffffffff:4096:no [3730] numerical-eq:radius-accouting-request-length:0xffffffff:8192:no [3731] numerical-eq:radius-accouting-request-attr-counter:0xffffffff:5:no [3732] string-match:pktsearch-req-text:\x24\x02\x03\xf3(fcase =no) [3733] string-match:pktsearch-req-text:\x24\x02\x04\x23(fcase =no) [3734] string-match:pktsearch-req-text:\x03..\xcc(fcase =no) [3735] string-match:pktsearch-req-text:\x02..\x0c(fcase =no) [3736] string-match:pktsearch-req-text:\x01..\x0c(fcase =no) [3737] string-match:smtp-subject-message-header:you have a(fcase =yes) [3738] string-match:smtp-subject-message-header:card from(fcase =yes) [3739] string-match:smtp-message-body:\nhttp://www\.(Laugh-Mail|friend-card|friend-cards|cool-download|friend-greeting|friend-greet|friendgreetings|friend-greetings)\.(com|net)/(fcase =yes) [3740] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:10100:no [3741] numerical-eq:pktsearch-rsp-1st-4b:0xFFFFFF00:0x30303000:no [3742] numerical-eq:dcerpc-req-DCOM-request-frag-length:0xffffffff:2904:no [3743] string-match:dcerpc-dcom-machine-name:\xc5\xd4\xd4\xd4\x3c\x5e\xd6\xd4\xd4\x5d\x57\x95(fcase =no) [3744] numerical-eq:netbios-ss-dcerpc-req-DCOM-request-frag-length:0xffffffff:2904:no [3745] string-match:netbios-ss-dcerpc-dcom-machine-name:\xc5\xd4\xd4\xd4\x3c\x5e\xd6\xd4\xd4\x5d\x57\x95(fcase =no) [3746] string-match:ftp-site-cmd-param:%\.f%\.f%\.f%\.f%\.f%\.f%\.(fcase =no) [3747] string-match:ftp-site-cmd-param:\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80(fcase =no) [3748] unsigned-gt:rsh-login-fail-counter:0xffffffff:0:no [3749] unsigned-gt:pop3-uidl-cmd-param-length:0xffffffff:200:no [3750] string-match:smtp-EXE-message-body:rXFHiJ1qy1EyALi4uJjIjgW7(fcase =no) [3751] string-match:smtp-EXE-message-body:JTRt4bgcS9pE4kqKRi/bSw1Z(fcase =no) [3752] string-match:pop3-EXE-message-body:rXFHiJ1qy1EyALi4uJjIjgW7(fcase =no) [3753] string-match:pop3-EXE-message-body:JTRt4bgcS9pE4kqKRi/bSw1Z(fcase =no) [3754] string-match:imap-EXE-message-body:rXFHiJ1qy1EyALi4uJjIjgW7(fcase =no) [3755] string-match:imap-EXE-message-body:JTRt4bgcS9pE4kqKRi/bSw1Z(fcase =no) [3756] unsigned-gt:imap-append-cmd-param-length:0xffffffff:1024:no [3757] unsigned-gt:netbios-ss-smb-rsp-trans2-shortfilename-length:0xffffffff:24:no [3758] numerical-eq:netbios-ss-error-code:0xffffffff:FINDFIRST2_FILENAME_LENGTH_ERROR:no [3759] unsigned-gt:smtp-rcpt-cmd-param-length:0xffffffff:1024:no [3760] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:334:no [3761] string-match:pktsearch-req-text:^ExecuteUnloadAll(fcase =no) [3762] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:5333:no [3763] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:411:no [3764] string-match:pktsearch-trin00-a2m-req-text:mdie killme(fcase =no) [3765] string-match:ftp-pass-cmd-param:-iss@iss(fcase =no) [3766] string-match:http-get-req-uri-path:cgi-bin(fcase =no) [3767] string-match:http-get-req-uri-path:(\\|/)AnyForm\.cgi(fcase =no) [3768] string-match:http-get-req-user-agent-header:Java1\.2\.1(fcase =no) [3769] string-match:pop3-invalid-cmd-text:\xeb\x26\x5e\x8d\x1e\x89\x5e\x1b\x31\xed\x89\x6e\x17\x89\x6e\x1f(fcase =no) [3770] string-match:pop3-invalid-cmd-text:\xff\xff/////////////////bin/sh(fcase =no) [3771] string-match:telnet-client-data-text:id[\n; \t](fcase =no) [3772] string-match:telnet-client-data-text:[; \t/]id[\n; \t](fcase =no) [3773] string-match:telnet-server-data-text:uid=0\(root\).gid=(fcase =no) [3774] string-match:telnet-server-data-text:uid=.\(bin\).gid=(fcase =no) [3775] string-match:telnet-server-data-text:uid=.\(sys\).gid=(fcase =no) [3776] string-match:telnet-client-data-text:whoami[\n; \t](fcase =no) [3777] string-match:telnet-client-data-text:[; \t/]whoami[\n; \t](fcase =no) [3778] string-match:telnet-server-data-text:root\x0a(fcase =no) [3779] string-match:telnet-server-data-text:bin\x0a(fcase =no) [3780] string-match:telnet-server-data-text:sys\x0a(fcase =no) [3781] string-match:tftp-filename:admin\.dll(fcase =yes) [3782] string-match:smtp-PIF-message-body:AtaVBkrISbMMdUa8YPoCfAmS(fcase =no) [3783] string-match:smtp-PIF-message-body:CMjXQTIjdWouIwiu6GZxFOss(fcase =no) [3784] string-match:smtp-EXE-message-body:AtaVBkrISbMMdUa8YPoCfAmS(fcase =no) [3785] string-match:smtp-EXE-message-body:CMjXQTIjdWouIwiu6GZxFOss(fcase =no) [3786] string-match:pop3-PIF-message-body:AtaVBkrISbMMdUa8YPoCfAmS(fcase =no) [3787] string-match:pop3-PIF-message-body:CMjXQTIjdWouIwiu6GZxFOss(fcase =no) [3788] string-match:pop3-EXE-message-body:AtaVBkrISbMMdUa8YPoCfAmS(fcase =no) [3789] string-match:pop3-EXE-message-body:CMjXQTIjdWouIwiu6GZxFOss(fcase =no) [3790] string-match:imap-PIF-message-body:AtaVBkrISbMMdUa8YPoCfAmS(fcase =no) [3791] string-match:imap-PIF-message-body:CMjXQTIjdWouIwiu6GZxFOss(fcase =no) [3792] string-match:imap-EXE-message-body:AtaVBkrISbMMdUa8YPoCfAmS(fcase =no) [3793] string-match:imap-EXE-message-body:CMjXQTIjdWouIwiu6GZxFOss(fcase =no) [3794] string-match:smtp-SCR-message-body:AF0iXlUKBWDHzPA6RDol/A47(fcase =no) [3795] string-match:smtp-SCR-message-body:3GF1vV9i9R8J5KHMd6hZK3PB(fcase =no) [3796] string-match:smtp-EXE-message-body:AF0iXlUKBWDHzPA6RDol/A47(fcase =no) [3797] string-match:smtp-EXE-message-body:3GF1vV9i9R8J5KHMd6hZK3PB(fcase =no) [3798] string-match:smtp-COM-message-body:AF0iXlUKBWDHzPA6RDol/A47(fcase =no) [3799] string-match:smtp-COM-message-body:3GF1vV9i9R8J5KHMd6hZK3PB(fcase =no) [3800] string-match:imap-SCR-message-body:AF0iXlUKBWDHzPA6RDol/A47(fcase =no) [3801] string-match:imap-SCR-message-body:3GF1vV9i9R8J5KHMd6hZK3PB(fcase =no) [3802] string-match:imap-EXE-message-body:AF0iXlUKBWDHzPA6RDol/A47(fcase =no) [3803] string-match:imap-EXE-message-body:3GF1vV9i9R8J5KHMd6hZK3PB(fcase =no) [3804] string-match:imap-COM-message-body:AF0iXlUKBWDHzPA6RDol/A47(fcase =no) [3805] string-match:imap-COM-message-body:3GF1vV9i9R8J5KHMd6hZK3PB(fcase =no) [3806] string-match:pop3-SCR-message-body:AF0iXlUKBWDHzPA6RDol/A47(fcase =no) [3807] string-match:pop3-SCR-message-body:3GF1vV9i9R8J5KHMd6hZK3PB(fcase =no) [3808] string-match:pop3-EXE-message-body:AF0iXlUKBWDHzPA6RDol/A47(fcase =no) [3809] string-match:pop3-EXE-message-body:3GF1vV9i9R8J5KHMd6hZK3PB(fcase =no) [3810] string-match:pop3-COM-message-body:AF0iXlUKBWDHzPA6RDol/A47(fcase =no) [3811] string-match:pop3-COM-message-body:3GF1vV9i9R8J5KHMd6hZK3PB(fcase =no) [3812] numerical-eq:netbios-ss-error-code:0xffffffff:NT_TRANSACT2_PARAM_LENGTH_VIOLATION:no [3813] string-match:smtp-rcpt-cmd-param:\.\.[/\\]\.\.(fcase =no) [3814] numerical-eq:netbios-ns-response-query-packet-length:0xffffffff:0x10:no [3815] string-match:http-req-uri-path:\.asp$(fcase =yes) [3816] numerical-eq:rpc-call-cred-flavor:0xffffffff:1:no [3817] string-match:rpc-call-data:ADM_METHOD(fcase =no) [3818] string-match:rpc-call-data:admpipe(fcase =no) [3819] string-match:rpc-call-data:localhost(fcase =no) [3820] string-match:rpc-call-data:127\.0\.0\.1(fcase =no) [3821] string-match:rpc-call-data:\/\.\.\/(fcase =no) [3822] string-match:rpc-call-data:ADM_CLIENT_HOST(fcase =no) [3823] string-match:rpc-reply-data:USER ACCESS DENIED(fcase =no) [3824] string-match:ftp-stor-cmd-param:\.rhosts(fcase =no) [3825] string-match:sip-req-invite-uri-text:\x3C\x3C\x3C\x3C(fcase =no) [3826] string-match:sip-req-subscribe-uri-text:\x3C\x3C\x3C\x3C(fcase =no) [3827] string-match:sip-req-uri-text:\x3C\x3C\x3C\x3C(fcase =no) [3828] unsigned-gt:sip-req-uri-len:0xffffffff:128:no [3829] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:21212:no [3830] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:21554:no [3831] string-match:pktsearch-rsp-text:^Schwindler Servidor\x2e(fcase =no) [3832] unsigned-gt:netbios-ss-rsp-smb-share-name-length:0xffffffff:300:no [3833] string-match:tds-sybase-response-payload:Login failed(fcase =yes) [3834] unsigned-gt:smtp-saml-cmd-param-length:0xffffffff:1024:no [3835] unsigned-gt:smtp-soml-cmd-param-length:0xffffffff:1024:no [3836] string-match:http-req-uri-path:links\.all\.php(fcase =yes) [3837] string-match:http-req-query-param-value:(http|ftp)://(fcase =yes) [3838] unsigned-gt:nfs-v2-call-attr-uid:0xffffffff:0xffff:no [3839] numerical-eq:nfs-v2-call-attr-uid:0x0000ffff:0:no [3840] unsigned-gt:nfs-v3-call-attr-uid:0xffffffff:0xffff:no [3841] numerical-eq:nfs-v3-call-attr-uid:0x0000ffff:0:no [3842] string-match:pktsearch-req-text:User-Agent: XoloX(fcase =yes) [3843] string-match:http-get-req-user-agent-header:XoloX(fcase =yes) [3844] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:1963:no [3845] string-match:pktsearch-req-text:\xfd\xe9\xed\xbd(fcase =no) [3846] string-match:pktsearch-req-text:\xef\xe9\xed\xbd(fcase =no) [3847] string-match:pktsearch-rsp-text:\xe9\xed(fcase =no) [3848] string-match:pktsearch-rsp-text:\xed\xfb(fcase =no) [3849] string-match:pktsearch-rsp-text:\xf9\xff\xed(fcase =no) [3850] string-match:pktsearch-rsp-text:\xeb\xed(fcase =no) [3851] string-match:tds-mssql-client-query-payload:o\x00p\x00e\x00n\x00r\x00o\x00w\x00s\x00e\x00t\x00\(\x00(fcase =yes) [3852] string-match:netbios-ss-tds-client-query-payload:o\x00p\x00e\x00n\x00r\x00o\x00w\x00s\x00e\x00t\x00\(\x00(fcase =yes) [3853] numerical-eq:icmp-echo-reply-id:0xffffffff:669:no [3854] string-match:icmp-echo-reply-payload:\x73\x69\x63\x6B\x65\x6e(fcase =no) [3855] unsigned-gt:http-req-chunk-read-body-length:0xffffffff:0x7fffffff:no [3856] unsigned-gt:http-req-host-header-length:0xffffffff:620:no [3857] string-match:http-req-uri-path:snork\.bat(fcase =yes) [3858] string-match:smtp-SCR-message-body:UFNoz2yDjG0SGFdkEQpoY3+h(fcase =no) [3859] string-match:smtp-SCR-message-body:3T1MJxtGavvrmYvYIGz/N/43(fcase =no) [3860] string-match:smtp-PIF-message-body:UFNoz2yDjG0SGFdkEQpoY3+h(fcase =no) [3861] string-match:smtp-PIF-message-body:3T1MJxtGavvrmYvYIGz/N/43(fcase =no) [3862] string-match:smtp-EXE-message-body:UFNoz2yDjG0SGFdkEQpoY3+h(fcase =no) [3863] string-match:smtp-EXE-message-body:3T1MJxtGavvrmYvYIGz/N/43(fcase =no) [3864] string-match:smtp-COM-message-body:UFNoz2yDjG0SGFdkEQpoY3+h(fcase =no) [3865] string-match:smtp-COM-message-body:3T1MJxtGavvrmYvYIGz/N/43(fcase =no) [3866] string-match:pop3-SCR-message-body:UFNoz2yDjG0SGFdkEQpoY3+h(fcase =no) [3867] string-match:pop3-SCR-message-body:3T1MJxtGavvrmYvYIGz/N/43(fcase =no) [3868] string-match:pop3-PIF-message-body:UFNoz2yDjG0SGFdkEQpoY3+h(fcase =no) [3869] string-match:pop3-PIF-message-body:3T1MJxtGavvrmYvYIGz/N/43(fcase =no) [3870] string-match:pop3-EXE-message-body:UFNoz2yDjG0SGFdkEQpoY3+h(fcase =no) [3871] string-match:pop3-EXE-message-body:3T1MJxtGavvrmYvYIGz/N/43(fcase =no) [3872] string-match:pop3-COM-message-body:UFNoz2yDjG0SGFdkEQpoY3+h(fcase =no) [3873] string-match:pop3-COM-message-body:3T1MJxtGavvrmYvYIGz/N/43(fcase =no) [3874] string-match:imap-SCR-message-body:UFNoz2yDjG0SGFdkEQpoY3+h(fcase =no) [3875] string-match:imap-SCR-message-body:3T1MJxtGavvrmYvYIGz/N/43(fcase =no) [3876] string-match:imap-PIF-message-body:UFNoz2yDjG0SGFdkEQpoY3+h(fcase =no) [3877] string-match:imap-PIF-message-body:3T1MJxtGavvrmYvYIGz/N/43(fcase =no) [3878] string-match:imap-EXE-message-body:UFNoz2yDjG0SGFdkEQpoY3+h(fcase =no) [3879] string-match:imap-EXE-message-body:3T1MJxtGavvrmYvYIGz/N/43(fcase =no) [3880] string-match:imap-COM-message-body:UFNoz2yDjG0SGFdkEQpoY3+h(fcase =no) [3881] string-match:imap-COM-message-body:3T1MJxtGavvrmYvYIGz/N/43(fcase =no) [3882] string-match:smtp-ZIP-message-body:brAiAFYAAABW(fcase =no) [3883] string-match:pop3-ZIP-message-body:brAiAFYAAABW(fcase =no) [3884] string-match:imap-ZIP-message-body:brAiAFYAAABW(fcase =no) [3885] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:5031:no [3886] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:5032:no [3887] string-match:pktsearch-req-text:^8testtest(fcase =no) [3888] string-match:pktsearch-req-text:^d58614(fcase =no) [3889] string-match:pktsearch-req-text:^rtbar(fcase =no) [3890] string-match:pktsearch-req-text:^htbar(fcase =no) [3891] numerical-eq:netbios-ss-dcerpc-req-LSARPC-request-op-num:0xffffffff:0x0e:no [3892] string-match:netbios-ss-smb-transaction-buffer:\x0e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00(fcase =no) [3893] string-match:smtp-rcpt-cmd-param:%20.%20.%20.%20.%20.%20.(fcase =no) [3894] string-match:dns-response-qname:login.oscar.aol.com(fcase =no) [3895] string-match:dns-response-qname:aimexpress.aol.com(fcase =no) [3896] string-match:dns-response-qname:login.icq.com(fcase =no) [3897] string-match:dns-response-qname:my.screenname.aol.com(fcase =no) [3898] string-match:dns-response-qname:xtraz.icq.com(fcase =no) [3899] string-match:dns-response-qname:www.icqproxy.com(fcase =no) [3900] string-match:dns-response-qname:aimhttp.oscar.aol.com(fcase =no) [3901] string-match:dns-response-qname:http.proxy.icq.com(fcase =no) [3902] string-match:pktsearch-req-text: MSNFTP\x0d\x0a(fcase =no) [3903] string-match:pktsearch-rsp-text: MSNFTP\x0d\x0a(fcase =no) [3904] string-match-ap:req-content-text:\x04\x00\x00\x00foo\x00\x30\x00(fcase =no)(offset=0, depth=0) [3905] string-match-ap:rsp-content-text:\x04\x00\x00\x00foo\x00\x30\x00(fcase =no)(offset=0, depth=0) [3906] string-match-ap:req-content-text:-GUID: {5D3E02AB-6190-11(d|D)3-BBBB-00C04F795683}\r\n(fcase =no) [3907] string-match-ap:rsp-content-text:-GUID: {5D3E02AB-6190-11(d|D)3-BBBB-00C04F795683}\r\n(fcase =no) [3908] unsigned-gt:rtsp-announce-content-len:0xffffffff:0x80000000:no [3909] string-match:http-req-uri-path:/\./web-inf(fcase =yes) [3910] string-match:http-req-uri-path:\\\.\\web-inf(fcase =yes) [3911] string-match:http-req-uri-path://web-inf(fcase =yes) [3912] string-match:http-req-uri-path:\\\\web-inf(fcase =yes) [3913] string-match:http-req-uri-path:web-inf\.(/|\\)(fcase =yes) [3914] numerical-eq:telnet-iac-cmd-counter:0xffffffff:120:no [3915] string-match:telnet-client-data-text:\xFF\xF3\xFF\xF3\xFF\xF3\xFF\xF3\xFF\xF3(fcase =no) [3916] unsigned-gt:ftp-unlock-cmd-param-length:0xffffffff:128:no [3917] string-match:netbios-ss-smb-CREATE-filename:\.(exe|com|bat)\x00(fcase =yes) [3918] string-match:netbios-ss-smb-CREATE-filename:\.\x00(e\x00x\x00e|c\x00o\x00m|b\x00a\x00t)\x00\x00(fcase =yes) [3919] string-match:netbios-ss-smb-CREATE-filename:\\Programs\\Startup(fcase =yes) [3920] string-match:netbios-ss-smb-CREATE-filename:\\\x00P\x00r\x00o\x00g\x00r\x00a\x00m\x00s\x00\\\x00S\x00t\x00a\x00r\x00t\x00u\x00p\x00(fcase =yes) [3921] string-match:netbios-ss-smb-CREATE-filename:\.\x00(e\x00x\x00e|c\x00o\x00m|b\x00a\x00t)\x00(fcase =yes) [3922] numerical-eq:radius-tunnel-attr-length:0xffffffff:2:no [3923] numerical-eq:smtp-command-name:0xffffffff:13:no [3924] numerical-eq:smtp-command-counter:0xffffffff:150:no [3925] string-match:http-post-req-uri-path:(\\|/)admin\.php$(fcase =yes) [3926] string-match:http-post-req-query-param-value:^admin_enter$(fcase =yes) [3927] string-match:http-post-req-query-param-name:^passw$(fcase =yes) [3928] string-match:http-post-req-query-param-value:^12345$(fcase =no) [3929] string-match:http-req-uri-path:store.cgi$(fcase =yes) [3930] string-match:http-req-uri-query-param-name:StartID(fcase =yes) [3931] string-match:http-req-uri-query-param-value:\x00\.html(fcase =yes) [3932] string-match:pktsearch-req-text:^text:(fcase =no) [3933] string-match:pktsearch-req-text:^config(fcase =no) [3934] string-match:pktsearch-req-text:^listen(fcase =no) [3935] string-match:pktsearch-req-text:^opennotpad(fcase =no) [3936] string-match:pktsearch-rsp-text:^ADEIMN(fcase =no) [3937] string-match:pktsearch-rsp-text:^AADADEAD(fcase =no) [3938] string-match:smtp-content-type-message-header:audio/(fcase =yes) [3939] string-match:smtp-name-message-header:\.(exe|pif|scr)(\x22|\r|\n| )(fcase =yes) [3940] string-match:smtp-name-message-header:\.(vbs|bat)(\x22|\r|\n| )(fcase =yes) [3941] string-match:upnp-req-location-header-text::19(fcase =no) [3942] string-match:pktsearch-req-text:^CURDIR(fcase =no) [3943] string-match:pktsearch-req-text:^DRIVES(fcase =no) [3944] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:2115:no [3945] string-match:pktsearch-rsp-text:^CURDIR(fcase =no) [3946] string-match:pktsearch-rsp-text:^DRIVES(fcase =no) [3947] string-match:pktsearch-req-text:User-Agent: Gnucleus(fcase =yes) [3948] string-match:http-get-req-user-agent-header:Gnucleus(fcase =yes) [3949] string-match:pktsearch-req-text:\nUser-Agent: (fcase =yes) [3950] string-match:pktsearch-req-text: \(GnucDNA (fcase =yes) [3951] string-match:http-get-req-user-agent-header: \(GnucDNA (fcase =yes) [3952] numerical-eq:kerberos-error-code:0xffffffff:non-kerberosd:no [3953] string-match:http-req-uri-path:(\xc0\x25|\xc0\x2e|\xc0\xa5|\xc0\xae)(fcase =no) [3954] string-match:http-req-uri-path:(\xc0\x2f|\xc0\xaf|\xc0\x5c|\xc0\xcc)(fcase =no) [3955] string-match:http-req-uri-path:(\xc1\x1c|\xc1\x9c)(fcase =no) [3956] string-match:http-req-uri-path:(\\|/)cmd\.exe(fcase =yes) [3957] string-match:netbios-ss-dcerpc-req-WINREG-request-payload:I\x00m\x00a\x00g\x00e\x00P\x00a\x00t\x00h\x00(fcase =no) [3958] string-match:http-req-uri-path:/ext\.ini(fcase =yes) [3959] string-match:http-req-uri-path:edit_image\.php(fcase =yes) [3960] string-match:http-req-uri-query-param-name:userfile_name(fcase =yes) [3961] string-match:http-req-uri-query-param-value:( ;|;%20)(fcase =no) [3962] numerical-eq:icmp-packet-len:0xffffffff:52:no [3963] numerical-eq:icmp-first-4b-payload:0xffffffff:0:no [3964] numerical-eq:icmp-second-4b-payload:0xffffffff:0:no [3965] string-match:icmp-payload:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40#C0\x40#C0(fcase =no) [3966] string-match:rpc-call-data:\xe8\xc6\xff\xff\xff\x83\xc4\x0c\xe8\xc6\xff\xff\xff(fcase =no) [3967] string-match:pktsearch-req-text:\xe8\xc6\xff\xff\xff\x83\xc4\x0c\xe8\xc6\xff\xff\xff(fcase =no) [3968] string-match:pktsearch-mstream-h2a-req-text:stream/(fcase =no) [3969] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:1777:no [3970] string-match:pktsearch-req-text:\x97\x2dOPENDRIVE(fcase =no) [3971] unsigned-gt:imap-rename-cmd-param-length:0xffffffff:1024:no [3972] string-match:pktsearch-req-text:^get info(fcase =no) [3973] string-match:pktsearch-req-text:^get drives(fcase =no) [3974] string-match:pktsearch-req-text:^get user(fcase =no) [3975] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:11223:no [3976] string-match:rpc-call-data:\xeb\x49\x5e\x29\xc0\x29\xdb\x40\x89\x46\x04\x40\x89\x06\xb0\x06\x89\x46\x08\xb0\x66\x43\x89\xf1\xcd\x80(fcase =no) [3977] string-match:pktsearch-req-text:\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xb8\x00\x00\x00\x01\x00\x00\x00\x04(fcase =no) [3978] string-match:pktsearch-req-text:\xeb\x49\x5e\x29\xc0\x29\xdb\x40\x89\x46\x04\x40\x89\x06\xb0\x06\x89\x46\x08\xb0\x66\x43\x89\xf1\xcd\x80(fcase =no) [3979] numerical-eq:netbios-ss-error-code:0xffffffff:NETDDE_HEAP_OVERFLOW:no [3980] numerical-eq:netbios-ss-dcerpc-netdde-method:0xffffffff:0:no [3981] numerical-eq:dcerpc-error-code:0xffffffff:NETDDE_HEAP_OVERFLOW:no [3982] numerical-eq:dcerpc-netdde-method:0xffffffff:0:no [3983] unsigned-gt:netbios-ss-dcerpc-netdde-element-72:0xffffffff:255:no [3984] unsigned-gt:netbios-ss-dcerpc-netdde-element-73:0xffffffff:255:no [3985] unsigned-gt:dcerpc-netdde-element-72:0xffffffff:255:no [3986] unsigned-gt:dcerpc-netdde-element-73:0xffffffff:255:no [3987] numerical-eq:netbios-ss-error-code:0xffffffff:NETDDE_NBT_OVERFLOW:no [3988] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00d\x00e\x00l\x00e\x00t\x00e\x00q\x00u\x00e\x00u\x00e\x00 (fcase =yes) [3989] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00d\x00e\x00l\x00e\x00t\x00e\x00q\x00u\x00e\x00u\x00e\x00 (fcase =yes) [3990] string-match:http-req-uri-path:query(fcase =yes) [3991] string-match:http-req-uri-query-param-name:mss(fcase =yes) [3992] numerical-eq:rsh-password-provided:0xffffffff:0:no [3993] numerical-eq:rsh-crlf-cnt:0xffffffff:3:no [3994] unsigned-gt:pop3-dele-cmd-param-length:0xffffffff:512:no [3995] string-match:smtp-SCR-message-body:D0zKK29xHKUVwdf4w5dzaG8R(fcase =no) [3996] string-match:smtp-SCR-message-body:gNU+AOspWZRIBNDYImzcFHfx(fcase =no) [3997] string-match:smtp-COM-message-body:D0zKK29xHKUVwdf4w5dzaG8R(fcase =no) [3998] string-match:smtp-COM-message-body:gNU+AOspWZRIBNDYImzcFHfx(fcase =no) [3999] string-match:smtp-EXE-message-body:D0zKK29xHKUVwdf4w5dzaG8R(fcase =no) [4000] string-match:smtp-EXE-message-body:gNU+AOspWZRIBNDYImzcFHfx(fcase =no) [4001] string-match:smtp-CPL-message-body:wPDTLq5HplUZaNAkYFrfoDuY(fcase =no) [4002] string-match:smtp-CPL-message-body:a3gdjfPSIMGq4WP6yaUp8x9w(fcase =no) [4003] string-match:pop3-SCR-message-body:D0zKK29xHKUVwdf4w5dzaG8R(fcase =no) [4004] string-match:pop3-SCR-message-body:gNU+AOspWZRIBNDYImzcFHfx(fcase =no) [4005] string-match:pop3-COM-message-body:D0zKK29xHKUVwdf4w5dzaG8R(fcase =no) [4006] string-match:pop3-COM-message-body:gNU+AOspWZRIBNDYImzcFHfx(fcase =no) [4007] string-match:pop3-EXE-message-body:D0zKK29xHKUVwdf4w5dzaG8R(fcase =no) [4008] string-match:pop3-EXE-message-body:gNU+AOspWZRIBNDYImzcFHfx(fcase =no) [4009] string-match:pop3-CPL-message-body:wPDTLq5HplUZaNAkYFrfoDuY(fcase =no) [4010] string-match:pop3-CPL-message-body:a3gdjfPSIMGq4WP6yaUp8x9w(fcase =no) [4011] string-match:imap-SCR-message-body:D0zKK29xHKUVwdf4w5dzaG8R(fcase =no) [4012] string-match:imap-SCR-message-body:gNU+AOspWZRIBNDYImzcFHfx(fcase =no) [4013] string-match:imap-COM-message-body:D0zKK29xHKUVwdf4w5dzaG8R(fcase =no) [4014] string-match:imap-COM-message-body:gNU+AOspWZRIBNDYImzcFHfx(fcase =no) [4015] string-match:imap-EXE-message-body:D0zKK29xHKUVwdf4w5dzaG8R(fcase =no) [4016] string-match:imap-EXE-message-body:gNU+AOspWZRIBNDYImzcFHfx(fcase =no) [4017] string-match:imap-CPL-message-body:wPDTLq5HplUZaNAkYFrfoDuY(fcase =no) [4018] string-match:imap-CPL-message-body:a3gdjfPSIMGq4WP6yaUp8x9w(fcase =no) [4019] unsigned-gt:imap-stor-cmd-param-length:0xffffffff:1024:no [4020] string-match:http-req-uri-path:(order|orders)_log\.dat(fcase =yes) [4021] string-match:http-req-uri-path:(order|orders)_log_v12\.dat(fcase =yes) [4022] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:10085:no [4023] string-match:pktsearch-rsp-text:^SyphSrv\x00v1\.(fcase =no) [4024] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:10086:no [4025] string-match:pktsearch-req-text:^SyphCli(fcase =no) [4026] string-match:ftp-pass-cmd-param:-cklaus(fcase =no) [4027] string-match:http-req-uri-path:(\\|/)webplus(fcase =no) [4028] string-match:http-req-uri-query-param-name:script(fcase =yes) [4029] string-match:pop3-xtnd-cmd-param:\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa(fcase =no) [4030] string-match:pop3-xtnd-cmd-param:\xff\xff/bin/sh\.\.\.\.\.\.\.\.\.(fcase =no) [4031] string-match:smtp-name-message-header:\.(h|c|htm|html|doc|txt|ini|jpeg|jpg|gif|reg|ini)\.(fcase =yes) [4032] string-match:smtp-name-message-header:(ade|bas|bat|chm|cmd|com|cpl|crt|dll|hlp|hta|inf|ins|isp|js|jse|lnk)"(fcase =yes) [4033] string-match:smtp-name-message-header:\.(mdb|mde|msc|msi|msp|mst)"(fcase =yes) [4034] string-match:smtp-name-message-header:\.(ocx|pcd|pif|pot|ppt|reg|scr|sct|shb|shs|sys)"(fcase =yes) [4035] string-match:smtp-name-message-header:\.(url|vb|vbs|vbe|wsc|wsf|wsh)"(fcase =yes) [4036] string-match:smtp-name-message-header:\.xl."(fcase =yes) [4037] string-match:smtp-name-message-header:\.do."(fcase =yes) [4038] numerical-eq:snmp-req-id-length-of-length:0xffffffff:0:no [4039] numerical-eq:snmp-err-state-length-of-length:0xffffffff:0:no [4040] numerical-eq:snmp-err-index-length-of-length:0xffffffff:0:no [4041] numerical-eq:snmp-enterprise-object-id-length-of-length:0xffffffff:0:no [4042] numerical-eq:snmp-dst-ip-length-of-length:0xffffffff:0:no [4043] numerical-eq:snmp-trap-generic-length-of-length:0xffffffff:0:no [4044] numerical-eq:snmp-trap-specified-length-of-length:0xffffffff:0:no [4045] numerical-eq:snmp-time-stamp-length-of-length:0xffffffff:0:no [4046] unsigned-gt:pop3-apop-cmd-param-length:0xffffffff:512:no [4047] unsigned-gt:telnet-client-data-text-length:0xffffffff:1000000:no [4048] string-match:smtp-EXE-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4049] string-match:smtp-EXE-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4050] string-match:smtp-SCR-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4051] string-match:smtp-SCR-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4052] string-match:smtp-PIF-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4053] string-match:smtp-PIF-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4054] string-match:smtp-CMD-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4055] string-match:smtp-CMD-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4056] string-match:smtp-BAT-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4057] string-match:smtp-BAT-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4058] string-match:smtp-ZIP-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4059] string-match:smtp-ZIP-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4060] string-match:smtp-ZIP-message-body:dYHAUazy4foNTIZkhw5djhDH(fcase =no) [4061] string-match:smtp-ZIP-message-body:e+EYS9WIjWjs69YEpzQSG3CT(fcase =no) [4062] string-match:smtp-ZIP-message-body:gcBRrPLh+g1MhmSHDl2OEMd7(fcase =no) [4063] string-match:smtp-ZIP-message-body:4RhL1YiNaOzr1gSnNBIbcJN4(fcase =no) [4064] string-match:pop3-EXE-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4065] string-match:pop3-EXE-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4066] string-match:pop3-SCR-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4067] string-match:pop3-SCR-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4068] string-match:pop3-PIF-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4069] string-match:pop3-PIF-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4070] string-match:pop3-CMD-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4071] string-match:pop3-CMD-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4072] string-match:pop3-BAT-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4073] string-match:pop3-BAT-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4074] string-match:pop3-ZIP-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4075] string-match:pop3-ZIP-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4076] string-match:pop3-ZIP-message-body:dYHAUazy4foNTIZkhw5djhDH(fcase =no) [4077] string-match:pop3-ZIP-message-body:e+EYS9WIjWjs69YEpzQSG3CT(fcase =no) [4078] string-match:pop3-ZIP-message-body:gcBRrPLh+g1MhmSHDl2OEMd7(fcase =no) [4079] string-match:pop3-ZIP-message-body:4RhL1YiNaOzr1gSnNBIbcJN4(fcase =no) [4080] string-match:imap-EXE-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4081] string-match:imap-EXE-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4082] string-match:imap-SCR-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4083] string-match:imap-SCR-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4084] string-match:imap-PIF-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4085] string-match:imap-PIF-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4086] string-match:imap-CMD-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4087] string-match:imap-CMD-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4088] string-match:imap-BAT-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4089] string-match:imap-BAT-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4090] string-match:imap-ZIP-message-body:LXWBwFGs8uH6DUyGZIcOXY4Q(fcase =no) [4091] string-match:imap-ZIP-message-body:x3vhGEvViI1o7OvWBKc0Ehtw(fcase =no) [4092] string-match:imap-ZIP-message-body:dYHAUazy4foNTIZkhw5djhDH(fcase =no) [4093] string-match:imap-ZIP-message-body:e+EYS9WIjWjs69YEpzQSG3CT(fcase =no) [4094] string-match:imap-ZIP-message-body:gcBRrPLh+g1MhmSHDl2OEMd7(fcase =no) [4095] string-match:imap-ZIP-message-body:4RhL1YiNaOzr1gSnNBIbcJN4(fcase =no) [4096] string-match:imap-select-cmd-param:core(fcase =no) [4097] string-match:lpr-receive-control-file-content:\nLroot\nM-oA/var/(fcase =no) [4098] string-match:lpr-receive-control-file-content:\nLroot\nM-oC/var/(fcase =no) [4099] string-match:smtp-mail-cmd-param:from: <>(\r|\n)(fcase =yes) [4100] string-match:http-req-uri-path:iisadmin(\\|/)bdir\.htr(fcase =yes) [4101] numerical-eq:dcerpc-udp-req-MESSAGE-request-udp-op-num:0xffffffff:0:no [4102] unsigned-gt:dcerpc-udp-MESSAGE-request-udp-length:0xffffffff:2200:no [4103] numerical-eq:dcerpc-MESSAGE-request-op-num:0xffffffff:0:no [4104] unsigned-gt:dcerpc-req-MESSAGE-request-frag-length:0xffffffff:2200:no [4105] numerical-eq:netbios-ss-dcerpc-req-MESSAGE-request-op-num:0xffffffff:0:no [4106] unsigned-gt:netbios-ss-dcerpc-req-MESSAGE-frag-length:0xffffffff:2200:no [4107] string-match:pktsearch-req-text:^\x2fbeep(fcase =no) [4108] string-match:pktsearch-req-text:^\x2fyche(fcase =no) [4109] string-match:pktsearch-req-text:^\x2fflood(fcase =no) [4110] string-match:pktsearch-req-text:^\x2fbomb(fcase =no) [4111] string-match:pktsearch-req-text:^\x2fformat(fcase =no) [4112] string-match:pktsearch-req-text:^\x2ficq(fcase =no) [4113] string-match:pktsearch-req-text:^\x2freboot(fcase =no) [4114] string-match:pktsearch-req-text:^\x2fopen(fcase =no) [4115] string-match:pktsearch-req-text:^\x2fclose(fcase =no) [4116] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:65000:no [4117] string-match:pktsearch-rsp-text:^pass_pleaz(fcase =no) [4118] string-match:pktsearch-req-text:^pass_pleaz(fcase =no) [4119] string-match:irc-req-text:^version(fcase =no) [4120] string-match:irc-rsp-text:^passed(fcase =no) [4121] string-match:irc-rsp-text:^pass_pleaz(fcase =no) [4122] string-match:irc-req-text:^pass_pleaz(fcase =no) [4123] string-match:pktsearch-rsp-text:^passed(fcase =no) [4124] string-match:pktsearch-req-text:^start hide(fcase =no) [4125] string-match:pktsearch-req-text:^start show(fcase =no) [4126] string-match:tds-sybase-client-query-payload:xp_freedll\((fcase =yes) [4127] unsigned-gt:smtp-etrn-cmd-param-length:0xffffffff:260:no [4128] string-match:smtp-etrn-cmd-param:\x31\xc0\x40\x40\x89\x45\xf4\x48\x89\x45\xf8\x48\x89(fcase =no) [4129] string-match:http-req-uri-path:quick_reply.php(fcase =yes) [4130] string-match:http-req-query-param-name:phpbb_root_path(fcase =yes) [4131] string-match:pktsearch-afs-req-text:\x00\x00\x00\x86(fcase =no) [4132] string-match:pktsearch-afs-req-text:\x31\xdb\xcd\x80(fcase =no) [4133] string-match:pktsearch-afs-req-text:/bin/sh(fcase =no) [4134] string-match:rpc-call-data:\x00\x01\x87\x03\x00\x00\x00\x01\x00\x00\x00\x01(fcase =no) [4135] string-match:rpc-call-data:\x00\x01\x87\x03\x00\x00\x00\x02\x00\x00\x00\x01(fcase =no) [4136] string-match:rpc-call-data:0x3b(fcase =no) [4137] string-match:irc-req-text:!Hacks for my list of Hacks(fcase =no) [4138] string-match:irc-req-text:RealWayToHack for a Help with hacking(fcase =no) [4139] string-match:irc-rsp-text:RealWayToHack for a Help with hacking(fcase =no) [4140] string-match:pktsearch-req-text:^from=iGLOO(fcase =no) [4141] string-match:tds-mssql-client-query-payload:o\x00p\x00e\x00n\x00d\x00a\x00t\x00a\x00s\x00o\x00u\x00r\x00c\x00e\x00(fcase =yes) [4142] string-match:netbios-ss-tds-client-query-payload:o\x00p\x00e\x00n\x00d\x00a\x00t\x00a\x00s\x00o\x00u\x00r\x00c\x00e\x00(fcase =yes) [4143] numerical-eq:icmp-echo-reply-id:0xffffffff:456:no [4144] string-match:icmp-echo-reply-payload:\x31\x32\x33\x34\x35\x00(fcase =no) [4145] string-match:http-req-uri-path:%1u%1u(fcase =no) [4146] string-match:http-req-uri-path:(get32\.exe|get16\.exe|post32\.exe|post16\.exe|tst\.bat|tst2\.bat|lsin\.exe|lsindex2\.bat|imapcern\.exe|imapncsa\.exe|aliredir\.exe)\|(fcase =yes) [4147] string-match:smtp-message-body:\n\nTV..AA.AAA(fcase =no) [4148] string-match:smtp-message-body:\n\r\nTV..AA.AA(fcase =no) [4149] string-match:smtp-ZIP-message-body:TVqQAAMAAAAE(fcase =no) [4150] string-match:smtp-ZIP-message-body:AAAA//8AALgA(fcase =no) [4151] string-match:smtp-ZIP-message-body:WpAAAwAAAAQA(fcase =no) [4152] string-match:smtp-ZIP-message-body:AAD//wAAuAAA(fcase =no) [4153] string-match:smtp-ZIP-message-body:kAADAAAABAAA(fcase =no) [4154] string-match:smtp-ZIP-message-body:AP//AAC4AAAA(fcase =no) [4155] string-match:pop3-message-body:\n\nTVqQAAMAAAAEAAAA//8AAL(fcase =no) [4156] string-match:pop3-message-body:\n\r\nTVqQAAMAAAAEAAAA//8AA(fcase =no) [4157] string-match:pop3-ZIP-message-body:TVqQAAMAAAAE(fcase =no) [4158] string-match:pop3-ZIP-message-body:AAAA//8AALgA(fcase =no) [4159] string-match:pop3-ZIP-message-body:WpAAAwAAAAQA(fcase =no) [4160] string-match:pop3-ZIP-message-body:AAD//wAAuAAA(fcase =no) [4161] string-match:pop3-ZIP-message-body:kAADAAAABAAA(fcase =no) [4162] string-match:pop3-ZIP-message-body:AP//AAC4AAAA(fcase =no) [4163] string-match:imap-message-body:\n\nTVqQAAMAAAAEAAAA//8AAL(fcase =no) [4164] string-match:imap-message-body:\n\r\nTVqQAAMAAAAEAAAA//8AA(fcase =no) [4165] string-match:imap-ZIP-message-body:TVqQAAMAAAAE(fcase =no) [4166] string-match:imap-ZIP-message-body:AAAA//8AALgA(fcase =no) [4167] string-match:imap-ZIP-message-body:WpAAAwAAAAQA(fcase =no) [4168] string-match:imap-ZIP-message-body:AAD//wAAuAAA(fcase =no) [4169] string-match:imap-ZIP-message-body:kAADAAAABAAA(fcase =no) [4170] string-match:imap-ZIP-message-body:AP//AAC4AAAA(fcase =no) [4171] string-match:pktsearch-req-text:CDTRAY(fcase =no) [4172] string-match:pktsearch-req-text:FLASH-COLORS(fcase =no) [4173] string-match:pktsearch-req-text:clLime(fcase =no) [4174] string-match:pktsearch-req-text:clGreen(fcase =no) [4175] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:32418:no [4176] string-match:pktsearch-req-text:^CDTRAY(fcase =no) [4177] string-match:pktsearch-req-text:^FLASH-COLORS(fcase =no) [4178] string-match:pktsearch-req-text:^clLime(fcase =no) [4179] string-match:pktsearch-req-text:^clGreen(fcase =no) [4180] string-match:smtp-message-body:b6iUb1iTaJdgSJdgiDBhCDRg(fcase =no) [4181] string-match:smtp-message-body:g0YIG4lGDIhGF4hGGohGRVBW(fcase =no) [4182] string-match:smtp-message-body:W4vc2guLWMuZWNobyAnaDo6M(fcase =no) [4183] string-match:smtp-message-body:XIK/71yCv+9cgr/vXIK/71yC(fcase =no) [4184] string-match:pktsearch-req-text:INVITE MSNMSGR:(fcase =no) [4185] string-match:pktsearch-req-text:{A4268EEC-FEC5-49E5-95C3-F126696BDBF6}(fcase =no) [4186] string-match:pktsearch-req-text:TG9jYXRpb249Ii4uXC4u(fcase =no) [4187] string-match:pktsearch-req-text:IExvY2F0aW9uPSIuLlwu(fcase =no) [4188] string-match:pktsearch-req-text:b2NhdGlvbj0iLi5cLi(fcase =no) [4189] string-match:pktsearch-rsp-text:MSNSLP/1\.0 200 OK(fcase =no) [4190] string-match:pktsearch-rsp-text:^phAse(fcase =no) [4191] string-match:http-req-uri-path:cachemgr\.cgi(fcase =yes) [4192] string-match:http-req-uri-query-param-name:port(fcase =yes) [4193] string-match:http-req-uri-query-param-name:user_name(fcase =yes) [4194] string-match:pktsearch-req-text:Invitation-Cookie:(fcase =no) [4195] string-match:http-req-uri-path:\.html(/|\\)(fcase =yes) [4196] string-match:http-req-uri-path:(/|\\)\.\.(fcase =yes) [4197] string-match:irc-req-privmsg-cmd-param::\(trinity\)(fcase =yes) [4198] string-match:irc-req-message::\(entitee\)(fcase =yes) [4199] string-match:irc-req-join-cmd-param:#b3eblebr0x(fcase =yes) [4200] string-match:irc-req-text::\(trinity\) someone needs a miracle\.\.\.(fcase =no) [4201] string-match:irc-req-text::\(trinity\) i will now hit on random ports\.\.\.(fcase =no) [4202] string-match:irc-rsp-text::\(trinity\) ping(fcase =no) [4203] string-match:irc-rsp-text::\(trinity\) tudp(fcase =no) [4204] string-match:irc-rsp-text::\(trinity\) tfrag(fcase =no) [4205] string-match:irc-rsp-text::\(trinity\) tsyn(fcase =no) [4206] string-match:irc-rsp-text::\(trinity\) trst(fcase =no) [4207] string-match:irc-rsp-text::\(trinity\) trnd(fcase =no) [4208] string-match:irc-rsp-text::\(trinity\) tack(fcase =no) [4209] string-match:irc-rsp-text::\(trinity\) testab(fcase =no) [4210] string-match:irc-rsp-text::\(trinity\) tnull(fcase =no) [4211] string-match:irc-req-text::\(trinity\) ping(fcase =no) [4212] string-match:irc-req-text::\(trinity\) tudp(fcase =no) [4213] string-match:irc-req-text::\(trinity\) tfrag(fcase =no) [4214] string-match:irc-req-text::\(trinity\) tsyn(fcase =no) [4215] string-match:irc-req-text::\(trinity\) trst(fcase =no) [4216] string-match:irc-req-text::\(trinity\) trnd(fcase =no) [4217] string-match:irc-req-text::\(trinity\) tack(fcase =no) [4218] string-match:irc-req-text::\(trinity\) testab(fcase =no) [4219] string-match:irc-req-text::\(trinity\) tnull(fcase =no) [4220] string-match:pktsearch-rsp-text:^XLog 2\.2(fcase =no) [4221] string-match:pktsearch-rsp-text:written by Garret(fcase =no) [4222] string-match:http-get-req-uri-path:scrsvr\.exe(fcase =yes) [4223] string-match:http-get-req-host-header:www\.opasoft\.com(fcase =yes) [4224] string-match:http-req-uri-path:work/scheduler\.php(fcase =yes) [4225] string-match:http-req-host-header:www\.opasoft\.com(fcase =yes) [4226] numerical-eq:netbios-ss-dcerpc-req-SAMR-request-op-num:0xffffffff:0x07:no [4227] numerical-eq:netbios-ss-dcerpc-req-SAMR-request-op-num:0xffffffff:0x0d:no [4228] numerical-eq:netbios-ss-dcerpc-req-SAMR-request-op-num:0xffffffff:0x28:no [4229] string-match:netbios-ss-smb-rsp-transaction-buffer:A\x00d\x00m\x00i\x00n\x00i\x00s\x00t\x00r\x00a\x00t\x00o\x00r\x00(fcase =no) [4230] string-match:smtp-first-invalid-cmd-text:(\x00){12}(fcase =no) [4231] string-match:http-post-req-uri-path:(calender|calender_admin)\.pl(fcase =yes) [4232] string-match:http-post-req-message-body:=|(fcase =no) [4233] numerical-eq:h225-error-code:0xffffffff:DestinationAddressE164LengthAnomaly:no [4234] numerical-eq:rpc-call-procedure:0xffffffff:13:no [4235] numerical-eq:rpc-call-prognum:0xffffffff:391016:no [4236] string-match:pktsearch-req-text:User-Agent: LimeWire(fcase =yes) [4237] string-match:http-get-req-user-agent-header:LimeWire(fcase =yes) [4238] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:31:no [4239] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:456:no [4240] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:3129:no [4241] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:40421:no [4242] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:40422:no [4243] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:40423:no [4244] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:40425:no [4245] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:40426:no [4246] string-match:pktsearch-req-text:^GetAgentInfo(fcase =no) [4247] string-match:pktsearch-req-text:^ListWindows(fcase =no) [4248] string-match:pktsearch-req-text:^List (fcase =no) [4249] string-match:pktsearch-req-text:^MouseMove (fcase =no) [4250] string-match:pktsearch-req-text:^Closewindow (fcase =no) [4251] string-match:http-post-req-content-type-header:/x-www-form-(fcase =no) [4252] string-match:http-post-req-transfer-encoding-header:chunked(fcase =no) [4253] string-match:http-post-req-uri-query-params:\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1d\x8d\xa0\xf0(fcase =no) [4254] unsigned-gt:socks-v5-user-len:0xffffffff:127:no [4255] unsigned-gt:socks-v5-pass-len:0xffffffff:127:no [4256] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:7307:no [4257] string-match:pktsearch-rsp-text:^... bytes\x0d\x0a\x00\x00(fcase =no) [4258] string-match:netbios-ss-smb-open_andx-buffer:\.pwl\x00(fcase =yes) [4259] string-match:netbios-ss-smb-open_andx-buffer:\x00\.\x00p\x00w\x00l\x00(fcase =yes) [4260] string-match:netbios-ss-smb-nt_create_andx-buffer:\.pwl\x00(fcase =yes) [4261] string-match:netbios-ss-smb-nt_create_andx-buffer:\x00\.\x00p\x00w\x00l\x00(fcase =yes) [4262] string-match:smtp-vrfy-cmd-param:\([\r\n](fcase =no) [4263] string-match:smtp-expn-cmd-param:\([\r\n](fcase =no) [4264] string-match:smtp-mail-cmd-param:from: \((fcase =yes) [4265] string-match:smtp-rcpt-cmd-param:to: \((fcase =yes) [4266] string-match:rpc-call-data:\x94\x1b\xc0\x0f\xec\x02\x3f\xf0\xac\x22\x80\x16(fcase =no) [4267] string-match:pktsearch-req-text:\x94\x1b\xc0\x0f\xec\x02\x3f\xf0\xac\x22\x80\x16(fcase =no) [4268] string-match:pktsearch-rsp-text:^PWD(fcase =no) [4269] string-match:pktsearch-req-text:^PWD(fcase =no) [4270] string-match:pktsearch-rsp-text:^connected\. (fcase =no) [4271] string-match:pktsearch-rsp-text:version: (fcase =no) [4272] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00c\x00o\x00n\x00t\x00r\x00o\x00l\x00q\x00u\x00e\x00u\x00e\x00s\x00e\x00r\x00v\x00i\x00c\x00e(fcase =yes) [4273] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00c\x00o\x00n\x00t\x00r\x00o\x00l\x00q\x00u\x00e\x00u\x00e\x00s\x00e\x00r\x00v\x00i\x00c\x00e(fcase =yes) [4274] string-match:http-req-uri-path:^(\\){6}(fcase =no) [4275] string-match:http-req-uri-path:^(/){6}(fcase =no) [4276] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:5534:no [4277] string-match:pktsearch-req-text:^{E}[cCdDeE]:\\(fcase =no) [4278] unsigned-gt:http-webdav-propfind-req-content-length:0xffffffff:100000:no [4279] unsigned-gt:http-webdav-search-req-content-length:0xffffffff:100000:no [4280] string-match:pktsearch-req-text:\x82\x10\x20.\x91\xd0\x38\x08(fcase =no) [4281] string-match:pktsearch-req-text:\x82\x10\x20.\x91\xd0\x38\x10(fcase =no) [4282] string-match:pktsearch-req-text:\x04\xbf\xff.\x81\xdd\xff\xfc(fcase =no) [4283] string-match:pktsearch-req-text:\x00\x01\x87\x03\x00\x00\x00\x01\x00\x00\x00\x01(fcase =no) [4284] string-match:pktsearch-req-text:^VER (fcase =no) [4285] string-match:pktsearch-rsp-text:^Snid X2 Server - (fcase =no) [4286] string-match:pktsearch-rsp-text:^Snid X3 Server - (fcase =no) [4287] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00r\x00e\x00a\x00d\x00p\x00k\x00f\x00r\x00o\x00m\x00q\x00u\x00e\x00u\x00e\x00 (fcase =yes) [4288] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00r\x00e\x00a\x00d\x00p\x00k\x00f\x00r\x00o\x00m\x00q\x00u\x00e\x00u\x00e\x00 (fcase =yes) [4289] string-match:http-req-uri-path:(\\|/)netauth.cgi$(fcase =yes) [4290] string-match:rlogin-username-client-login:^root[\r\n](fcase =no) [4291] string-match:rlogin-client-handshake-serveruser-text:^root$(fcase =no) [4292] string-match:pktsearch-req-text:^messagebox(fcase =no) [4293] string-match:pktsearch-req-text:^inputboxman(fcase =no) [4294] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:5011:no [4295] string-match:http-req-uri-path:\.php3.\\\.\.(fcase =yes) [4296] string-match:smtp-message-body:UgBvAG8AdAAgA(fcase =no) [4297] string-match:smtp-message-body:EUAbgB0AAByAH(fcase =no) [4298] string-match:smtp-message-body:AG8AbwB0ACAAR(fcase =no) [4299] string-match:smtp-message-body:QBuAHQAAHIA(fcase =no) [4300] string-match:smtp-message-body:bwBvAHQAIABFAG4AdA(fcase =no) [4301] string-match:smtp-message-body:2PRQMLWYzxG7ggCqAL3O(fcase =no) [4302] string-match:smtp-message-body:9FAwtZjPEbuCAKoAvc4L(fcase =no) [4303] string-match:smtp-message-body:UDC1mM8Ru4IAqgC9(fcase =no) [4304] unsigned-gt:smtp-help-cmd-param-length:0xffffffff:514:no [4305] unsigned-gt:http-get-req-uri-query-param-value-length:0xffffffff:10023:no [4306] string-match:http-get-req-uri-path:(/|\\)pi$(fcase =yes) [4307] numerical-eq:h225-error-code:0xffffffff:SourceAddressChoiceAnomaly:no [4308] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:9878:no [4309] string-match:pktsearch-req-text:^ID(fcase =no) [4310] string-match:tds-mssql-server-response-payload:L\x00o\x00g\x00i\x00n\x00 \x00f\x00a\x00i\x00l\x00e\x00d\x00 \x00f\x00o\x00r\x00 \x00u\x00s\x00e\x00r\x00 \x00\x27\x00s\x00a\x00\x27(fcase =yes) [4311] string-match:tds-mssql-server-response-payload:Login failed for user \x27sa\x27(fcase =yes) [4312] numerical-eq:tds-mssql-response-code:0xffffffff:0xaa:no [4313] string-match:tds-mssql-server-response-payload:L\x00o\x00g\x00i\x00n\x00 \x00f\x00a\x00i\x00l\x00e\x00d\x00 (fcase =yes) [4314] string-match:tds-mssql-server-response-payload:Login failed (fcase =yes) [4315] string-match:ftp-cwd-cmd-param:\.%20\.(fcase =no) [4316] string-match:http-req-uri-path:process_bug\.cgi$(fcase =no) [4317] string-match:http-req-uri-query-param-name:who(fcase =no) [4318] string-match:http-req-uri-query-param-name:bug_status(fcase =no) [4319] string-match:http-req-uri-query-param-value:;(echo|cat) (fcase =no) [4320] unsigned-gt:snmp-err-state-msg-qllength:0xffffffff:4:no [4321] unsigned-gt:snmp-err-state-length-of-length:0xffffffff:2:no [4322] string-match:tftp-rrq-filename:msblast\.exe(fcase =yes) [4323] string-match:tftp-rrq-filename:root32\.exe(fcase =yes) [4324] string-match:tftp-rrq-filename:teekids\.exe(fcase =yes) [4325] string-match:tftp-rrq-filename:index\.exe(fcase =yes) [4326] string-match:tftp-rrq-filename:penis32\.exe(fcase =yes) [4327] numerical-eq:http-req-webdav-xmlattr-count:0xffffffff:5000:no [4328] string-match:pktsearch-req-text:^info(fcase =no) [4329] string-match:pktsearch-rsp-text:^Product Name(fcase =no) [4330] string-match:smtp-message-body:\x3cobject(fcase =yes) [4331] string-match:smtp-message-body:location\.reload\(\)(fcase =yes) [4332] unsigned-gt:dcerpc-dcom-file-name-length:0xffffffff:527:no [4333] numerical-eq:dcerpc-error-code:0xffffffff:18:no [4334] unsigned-gt:netbios-ss-dcerpc-dcom-file-name-length:0xffffffff:527:no [4335] numerical-eq:netbios-ss-error-code:0xffffffff:20:no [4336] string-match:rpc-call-data:\x80\xff\xff\xac\x84\xff\xec\x24\x84\xff\xf8\x24\x85\xff\xf0\xac\x84\xff\xf0(fcase =no) [4337] string-match:pktsearch-req-text:\x80\xff\xff\xac\x84\xff\xec\x24\x84\xff\xf8\x24\x85\xff\xf0\xac\x84\xff\xf0(fcase =no) [4338] string-match:pktsearch-rsp-text:^Welcome\x21\x0d\x0a\x23\x20(fcase =no) [4339] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:34324:no [4340] string-match:pktsearch-req-text:^View(fcase =no) [4341] string-match:pktsearch-rsp-text:^Welcome!\r\n# (fcase =no) [4342] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00p\x00r\x00o\x00x\x00i\x00e\x00d\x00m\x00e\x00t\x00a\x00d\x00a\x00t\x00a(fcase =yes) [4343] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00p\x00r\x00o\x00x\x00i\x00e\x00d\x00m\x00e\x00t\x00a\x00d\x00a\x00t\x00a(fcase =yes) [4344] numerical-eq:snmp-err-code:0xffffffff:req-to-trap:no [4345] unsigned-gt:telnet-server-environ-sb-param-length:0xffffffff:128:no [4346] string-match:http-req-uri-path:\.chl+(fcase =yes) [4347] numerical-eq:pptp-invalid-msg:0xffffffff:1:no [4348] unsigned-lt:pptp-req-msg-len:0xffffffff:64:no [4349] unsigned-gt:pptp-req-msg-len:0xffffffff:10:no [4350] string-match:lpr-lprng-extend-cmd-params: root start (fcase =no) [4351] string-match:lpr-lprng-extend-cmd-params: root topq (fcase =no) [4352] string-match:finger-client-data-text:cmd_rootsh(fcase =no) [4353] string-match:finger-client-data-text:cmd_adduser(fcase =no) [4354] string-match:finger-client-data-text:cmd_deluser(fcase =no) [4355] string-match:finger-client-data-text:cmd_stealth(fcase =no) [4356] string-match:finger-client-data-text:cmd_cleanup(fcase =no) [4357] string-match:http-req-uri-path:(\.asp|\.htr)\\$(fcase =yes) [4358] string-match:pktsearch-rsp-text:^ForCed EnTrY (fcase =no) [4359] string-match:pktsearch-rsp-text:^nfo on the specified drive(fcase =no) [4360] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:142:no [4361] string-match:pktsearch-rsp-text:^00Ver\. 1\.8(fcase =no) [4362] string-match:http-req-uri-path:awstats\.pl(fcase =yes) [4363] string-match:http-req-uri-query-params:configdir=|(fcase =yes) [4364] string-match:http-req-uri-query-params:logfile=|(fcase =yes) [4365] string-match:http-req-uri-query-params:pluginmode=:system(fcase =yes) [4366] string-match:http-req-uri-path:\.jsp\x00\.(fcase =yes) [4367] string-match:http-req-uri-path:/\x00\.jsp(fcase =yes) [4368] string-match:pktsearch-req-text:^FC\x20(fcase =no) [4369] string-match:pktsearch-rsp-text:^WHATISIT(fcase =no) [4370] string-match:pktsearch-rsp-text:^FC'S TROJAN(fcase =no) [4371] string-match:tds-mssql-client-query-payload:s\x00p\x00_\x00s\x00t\x00a\x00r\x00t\x00_\x00j\x00o\x00(fcase =yes) [4372] string-match:netbios-ss-tds-client-query-payload:s\x00p\x00_\x00s\x00t\x00a\x00r\x00t\x00_\x00j\x00o\x00(fcase =yes) [4373] string-match:http-req-uri-query-param-value:default\.asp(fcase =yes) [4374] string-match:http-post-req-message-body:\.\.(/|\\)(fcase =no) [4375] string-match:http-post-req-message-body:default\.asp(fcase =yes) [4376] string-match:http-post-req-uri-path:\.htw$(fcase =yes) [4377] string-match:http-post-req-message-body:CiWebHitsFile(fcase =yes) [4378] unsigned-gt:snmp-null-msg-qllength:0xffffffff:0:no [4379] string-match:pop3-auth-cmd-param:\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab(fcase =no) [4380] string-match:pop3-auth-cmd-param:\xff\xff/bin/sh(fcase =no) [4381] string-match:pop3-auth-cmd-param:\xeb\x1b\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x29\xc0\xaa\x89(fcase =no) [4382] numerical-eq:http-error-code:0xffffffff:ASP.NET_SLASH_BYPASS:no [4383] string-match:http-req-uri-path:%5c(fcase =yes) [4384] string-match:http-req-uri-path:\.aspx(fcase =yes) [4385] numerical-eq:dns-response-ancount:0xffffffff:3:no [4386] numerical-eq:dns-response-answer-type:0xffffffff:12:no [4387] numerical-eq:dns-response-answer-type:0xffffffff:10:no [4388] string-match:dns-response-answer-rdata:(N){12}(fcase =no) [4389] numerical-eq:dns-response-ancount:0xffffffff:2:no [4390] string-match:dns-response-answer-rdata:A{12}(fcase =no) [4391] unsigned-gt:dns-rdlength:0xffffffff:180:no [4392] unsigned-gt:ssl-PCT-client-hello-challange-len:0xffffffff:19:no [4393] string-match:pktsearch-rsp-text:Mini Oblivion v0\.1 Ready\.(fcase =no) [4394] string-match:pktsearch-rsp-text:^Oblivion 0\.1 ready\.(fcase =no) [4395] string-match:pktsearch-req-text:[\n; \t/]id[\n; \t](fcase =no) [4396] string-match:pktsearch-req-text:id[\n; \t](fcase =no) [4397] string-match:pktsearch-rsp-text:uid=0\(root\).gid=(fcase =no) [4398] string-match:pktsearch-rsp-text:uid=.\(bin\).gid=(fcase =no) [4399] string-match:pktsearch-rsp-text:uid=.\(sys\).gid=(fcase =no) [4400] string-match:pktsearch-req-text:[\n; \t/]whoami[\n; \t](fcase =no) [4401] string-match:pktsearch-req-text:whoami[\n; \t](fcase =no) [4402] string-match:pktsearch-rsp-text:(root|bin|sys)\x0a(fcase =no) [4403] numerical-eq:pktsearch-unix-sh-counter:0xffffffff:2:no [4404] unsigned-gt:netbios-ss-smb-bytecount:0xffffffff:4000:no [4405] unsigned-gt:netbios-ss-tds-req-type:0xffffffff:0x12:no [4406] unsigned-gt:netbios-ss-error-code:0xffffffff:16:no [4407] string-match:http-req-uri-path:(\\|/)jj$(fcase =no) [4408] string-match:http-req-uri-query-param-name:^get=(fcase =no) [4409] string-match:http-req-uri-query-param-name:^cd=(fcase =no) [4410] string-match:http-req-uri-path:^/fm(fcase =no) [4411] string-match:http-req-uri-path:^/process$(fcase =no) [4412] string-match:http-req-uri-path:^/x-logout$(fcase =no) [4413] numerical-eq:dns-request-type:0xffffffff:0xc007:no [4414] string-match:dns-request-qname:\xc0\x0c\xc0\x07\xc0\x10\xc0(fcase =no) [4415] unsigned-gt:smtp-x_link2state-cmd-param-length:0xffffffff:1000:no [4416] unsigned-gt:finger-space-counter:0xffffffff:4:no [4417] string-match:finger-client-data-text:a b c d e f(fcase =no) [4418] string-match:finger-server-data-text:Login(fcase =no) [4419] string-match:finger-server-data-text:root Super-User(fcase =no) [4420] string-match:http-req-uri-path:/bizdb1-search\.cgi(fcase =no) [4421] string-match:http-req-query-params:dbname=;(fcase =no) [4422] string-match:http-req-query-params:dbname=`(fcase =no) [4423] string-match:ssrs-req-text:\x5f\x66\xb9\x65\x74\x51\x68\x73\x6f\x63(fcase =no) [4424] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:7001:no [4425] string-match:pktsearch-rsp-text:^hello\x3EWELCOMEwho do u want to phuk today\x3E(fcase =no) [4426] unsigned-gt:dhcp-req-cf-hdwraddr-len:0xffffffff:0xfa:no [4427] unsigned-gt:dhcp-req-cf-hostname-option-len:0xffffffff:160:no [4428] unsigned-gt:dhcp-req-cf-client-identifier-option-len:0xffffffff:80:no [4429] string-match:http-req-uri-path:\.(exe|com)\?/c+(fcase =yes) [4430] string-match:http-req-uri-path:\.(exe|com)$(fcase =yes) [4431] string-match:http-req-uri-query-param-name:rename(fcase =yes) [4432] string-match:http-req-uri-query-param-name:dir+(fcase =yes) [4433] string-match:http-req-uri-query-param-name:ftp+(fcase =yes) [4434] string-match:http-req-uri-query-param-name:copy+(fcase =yes) [4435] string-match:http-req-uri-query-param-name:del+(fcase =yes) [4436] string-match:http-req-uri-path:/cfide/(fcase =yes) [4437] string-match:http-req-uri-path:/administrator/(fcase =yes) [4438] string-match:http-req-uri-path:/startstop\.html$(fcase =yes) [4439] string-match:smtp-expn-cmd-param:*@(fcase =no) [4440] string-match:http-req-uri-path:/\.cobalt/(fcase =no) [4441] string-match:http-req-uri-path:overflow\.cgi(fcase =no) [4442] string-match:http-post-req-uri-path:/\.cobalt/(fcase =no) [4443] string-match:http-post-req-uri-path:overflow\.cgi(fcase =no) [4444] string-match:http-post-req-message-body:email=`(fcase =no) [4445] numerical-eq:h225-error-code:0xffffffff:PROTOSuite:no [4446] string-match:rpc-call-data:\x80\x1c\x40\x11\x80\x1c\x40\x11(fcase =no) [4447] string-match:rpc-call-data:\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x50\x92\x22\x20\x10\x94\x1b\xc0\x0f(fcase =no) [4448] numerical-eq:rpc-call-prognum:0xffffffff:100009:no [4449] string-match:pktsearch-req-text:\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa9\x00\x00\x00\x01\x00\x00\x00\x01(fcase =no) [4450] string-match:pktsearch-req-text:\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x50\x92\x22\x20\x10\x94\x1b\xc0\x0f(fcase =no) [4451] unsigned-gt:ldap-searchreq-filter-length:0xffffffff:40000:no [4452] string-match:pktsearch-rsp-text:^\x0d\x0a\[RPL\]002\x0d\x0a(fcase =no) [4453] string-match:pktsearch-req-text:Password (fcase =no) [4454] string-match:pktsearch-rsp-text:\[RPL\]003(fcase =no) [4455] string-match:pktsearch-rsp-text:server time/date(fcase =no) [4456] string-match:pktsearch-rsp-text:version (fcase =no) [4457] string-match:http-post-req-uri-path:(\\|/)websendmail(fcase =no) [4458] string-match:http-post-req-message-body:receiver(fcase =no) [4459] string-match:http-post-req-message-body:sender(fcase =no) [4460] string-match:http-post-req-message-body:content(fcase =no) [4461] unsigned-gt:socks-v4a-domainname-text-len:0xffffffff:140:no [4462] unsigned-gt:socks-v4a-domainname-text-len:0xffffffff:127:no [4463] string-match:pktsearch-rsp-text:^ServerSocket Connect\.\.\.(fcase =no) [4464] numerical-eq:dns-request-hdr-id:0xffffffff:0xbeef:no [4465] numerical-eq:dns-request-hdr-ra:0xffffffff:1:no [4466] numerical-eq:dns-request-answer-ttl:0xffffffff:1:no [4467] numerical-eq:dns-request-answer-rdlength:0xffffffff:0xff:no [4468] numerical-eq:dns-request-hdr-id:0xffffffff:0xdead:no [4469] numerical-eq:dns-request-qdcount:0xffffffff:7:no [4470] string-match:dns-request-qname:\xe8\x72\xff\xff\xff/bin/sh(fcase =no) [4471] string-match:http-post-req-message-body:\x3cmethodCall\x3e(fcase =yes) [4472] string-match:http-post-req-message-body:\x3cparams\x3e(fcase =yes) [4473] string-match:http-post-req-message-body:\x3cname\x3e','(fcase =yes) [4474] string-match:http-post-req-message-body:\x3cname\x3ea')(fcase =yes) [4475] string-match:http-post-req-message-body:/[*/]\x3c/name\x3e(fcase =yes) [4476] string-match:http-post-req-message-body:\x3cstring\x3e'(fcase =yes) [4477] string-match:http-post-req-message-body:\x3cstring\x3efoobar'(fcase =yes) [4478] string-match:http-post-req-message-body:\x3cstring\x3eadmin'(fcase =yes) [4479] string-match:http-post-req-message-body:\x3cstring\x3eadministrator'(fcase =yes) [4480] string-match:http-post-req-message-body:\x3cstring\x3eroot'(fcase =yes) [4481] string-match:http-post-req-message-body:/[*/]\x3c/string\x3e(fcase =yes) [4482] unsigned-gt:http-req-uri-query-param-value-length:0xffffffff:4096:no [4483] string-match:pktsearch-rsp-text:^Kid Terror 1(fcase =no) [4484] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00d\x00e\x00c\x00o\x00d\x00e\x00q\x00u\x00e\x00u\x00e\x00c\x00m\x00d\x00 (fcase =yes) [4485] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00d\x00e\x00c\x00o\x00d\x00e\x00q\x00u\x00e\x00u\x00e\x00c\x00m\x00d\x00 (fcase =yes) [4486] string-match:http-req-uri-path:^\.\.\\\.\.(fcase =no) [4487] string-match:http-req-uri-path:^\.\./\.\.(fcase =no) [4488] string-match:smtp-EXE-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4489] string-match:smtp-EXE-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4490] string-match:smtp-SCR-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4491] string-match:smtp-SCR-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4492] string-match:smtp-COM-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4493] string-match:smtp-COM-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4494] string-match:smtp-BAT-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4495] string-match:smtp-BAT-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4496] string-match:smtp-PIF-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4497] string-match:smtp-PIF-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4498] string-match:smtp-CMD-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4499] string-match:smtp-CMD-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4500] string-match:smtp-ZIP-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4501] string-match:smtp-ZIP-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4502] string-match:smtp-ZIP-message-body:4SMkK0Rguz6dX2I/WaY+CSk6(fcase =no) [4503] string-match:smtp-ZIP-message-body:P+4BaU4py5uI27BgY5ZSCMMv(fcase =no) [4504] string-match:smtp-ZIP-message-body:IyQrRGC7Pp1fYj9Zpj4JKTo/(fcase =no) [4505] string-match:smtp-ZIP-message-body:7gFpTinLm4jbsGBjllIIwy+Q(fcase =no) [4506] string-match:pop3-EXE-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4507] string-match:pop3-EXE-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4508] string-match:pop3-SCR-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4509] string-match:pop3-SCR-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4510] string-match:pop3-COM-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4511] string-match:pop3-COM-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4512] string-match:pop3-BAT-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4513] string-match:pop3-BAT-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4514] string-match:pop3-PIF-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4515] string-match:pop3-PIF-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4516] string-match:pop3-CMD-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4517] string-match:pop3-CMD-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4518] string-match:pop3-ZIP-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4519] string-match:pop3-ZIP-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4520] string-match:pop3-ZIP-message-body:4SMkK0Rguz6dX2I/WaY+CSk6(fcase =no) [4521] string-match:pop3-ZIP-message-body:P+4BaU4py5uI27BgY5ZSCMMv(fcase =no) [4522] string-match:pop3-ZIP-message-body:IyQrRGC7Pp1fYj9Zpj4JKTo/(fcase =no) [4523] string-match:pop3-ZIP-message-body:7gFpTinLm4jbsGBjllIIwy+Q(fcase =no) [4524] string-match:imap-EXE-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4525] string-match:imap-EXE-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4526] string-match:imap-SCR-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4527] string-match:imap-SCR-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4528] string-match:imap-COM-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4529] string-match:imap-COM-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4530] string-match:imap-BAT-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4531] string-match:imap-BAT-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4532] string-match:imap-PIF-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4533] string-match:imap-PIF-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4534] string-match:imap-CMD-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4535] string-match:imap-CMD-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4536] string-match:imap-ZIP-message-body:j+EjJCtEYLs+nV9iP1mmPgkp(fcase =no) [4537] string-match:imap-ZIP-message-body:Oj/uAWlOKcubiNuwYGOWUgjD(fcase =no) [4538] string-match:imap-ZIP-message-body:4SMkK0Rguz6dX2I/WaY+CSk6(fcase =no) [4539] string-match:imap-ZIP-message-body:P+4BaU4py5uI27BgY5ZSCMMv(fcase =no) [4540] string-match:imap-ZIP-message-body:IyQrRGC7Pp1fYj9Zpj4JKTo/(fcase =no) [4541] string-match:imap-ZIP-message-body:7gFpTinLm4jbsGBjllIIwy+Q(fcase =no) [4542] string-match:telnet-client-data-text:su[ \n\r;](fcase =no) [4543] string-match:telnet-server-data-text:Password:(fcase =no) [4544] string-match:telnet-server-data-text:# (fcase =no) [4545] string-match:telnet-client-data-text:su[ \t\n\r;](fcase =no) [4546] string-match:telnet-server-data-text:su: incorrect password\x0d\x0a(fcase =no) [4547] string-match:telnet-server-data-text:su: Sorry\x0d\x0a(fcase =no) [4548] string-match:telnet-server-data-text:Sorry\x0d\x0a(fcase =no) [4549] string-match:telnet-client-data-text:sudo[ \t](fcase =no) [4550] string-match:pktsearch-req-text:^download(fcase =no) [4551] string-match:pktsearch-req-text:^msg%(fcase =no) [4552] string-match:pktsearch-req-text:^tit%(fcase =no) [4553] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:29984:no [4554] string-match:http-req-uri-path:\.html\.var$(fcase =yes) [4555] numerical-eq:netbios-ns-response-hdr-rcode:0xffffffff:0x7:no [4556] numerical-eq:netbios-ns-response-registration-ancount:0xffffffff:1:no [4557] numerical-eq:netbios-ns-response-ttl:0xffffffff:0:no [4558] string-match:http-get-req-uri-path:(/|\\)*\.(jsp|jhtml)(/|\\)(fcase =yes) [4559] string-match:rpc-call-data:\x66\x89\xe1\xcd\x80\x89\xc6\xe8\xb6\xff\xff\xff\x83\xc4\x12\x50\xb9\x02\xff\x08\xae\x30\xed\x51\x89\xe2\x83\xec\x06\xb0\x10\x50(fcase =no) [4560] string-match:rpc-call-data:\xb3\x02\x52\x56\xb0\x66\x89\xe1\xcd\x80\xb0\x10\x50\x56\xb0\x66\xb3\x04\x89\xe1\xcd\x80\xe8\x87\xff\xff\xff\x50\x50\x56\xb0\x66(fcase =no) [4561] string-match:pktsearch-req-text:\x00\x00\x00\x00\x00\x00\x00\x02\x00\x04\x93\xf3\x00\x00\x00\x01\x00\x00\x00\x07(fcase =no) [4562] string-match:pktsearch-req-text:\x66\x89\xe1\xcd\x80\x89\xc6\xe8\xb6\xff\xff\xff\x83\xc4\x12\x50\xb9\x02\xff\x08\xae\x30\xed\x51\x89\xe2\x83\xec\x06\xb0\x10\x50(fcase =no) [4563] string-match:pktsearch-req-text:\xb3\x02\x52\x56\xb0\x66\x89\xe1\xcd\x80\xb0\x10\x50\x56\xb0\x66\xb3\x04\x89\xe1\xcd\x80\xe8\x87\xff\xff\xff\x50\x50\x56\xb0\x66(fcase =no) [4564] string-match:rpc-call-data:\xeb\x31\x5e\x89\x76\xac\x8d\x5e\x08\x89\x5e\xb0\x8d\x5e\x0b\x89\x5e\xb4\x31\xc0\x88\x46\x07\x88(fcase =no) [4565] string-match:pktsearch-req-text:\xeb\x31\x5e\x89\x76\xac\x8d\x5e\x08\x89\x5e\xb0\x8d\x5e\x0b\x89\x5e\xb4\x31\xc0\x88\x46\x07\x88(fcase =no) [4566] string-match:rpc-call-data:\x2f\x62\x69\x6e\x2f\x6d\x61\x69\x6c\x20\x61\x62\x75\x73\x65\x72\x40\x6f\x68\x68\x61\x72\x61\x2e\x70\x6f\x73\x74\x65\x63(fcase =no) [4567] string-match:pktsearch-req-text:\x2f\x62\x69\x6e\x2f\x6d\x61\x69\x6c\x20\x61\x62\x75\x73\x65\x72\x40\x6f\x68\x68\x61\x72\x61\x2e\x70\x6f\x73\x74\x65\x63(fcase =no) [4568] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00r\x00e\x00s\x00e\x00t\x00q\x00u\x00e\x00u\x00e\x00 (fcase =yes) [4569] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00r\x00e\x00s\x00e\x00t\x00q\x00u\x00e\x00u\x00e\x00 (fcase =yes) [4570] string-match:http-req-uri-path:mailview\.cgi(fcase =yes) [4571] unsigned-gt:pktsearch-cabrightstor-req-pktlen:0xffffffff:966:no [4572] string-match:pktsearch-cabrightstor-req-text:\xb0\x8e\x80\x23(fcase =no) [4573] string-match:pktsearch-cabrightstor-req-text:\x14\x57\x80\x23(fcase =no) [4574] unsigned-gt:rlogin-password-client-login-length:0xffffffff:128:no [4575] numerical-eq:dns-exchange-error:0xffffffff:1:no [4576] string-match:dhcp-rsp-sf-hostname-option:(/bin|/sbin|/opt)(fcase =no) [4577] string-match:dhcp-rsp-sf-domnname-option:(/bin|/sbin|/opt)(fcase =no) [4578] string-match:dhcp-rsp-sf-nis-domain-option:(/bin|/sbin|/opt)(fcase =no) [4579] string-match:dhcp-rsp-sf-root-path-option:(/bin|/sbin|/opt)(fcase =no) [4580] string-match:dhcp-rsp-sf-server-hostname:(/bin|/sbin|/opt)(fcase =no) [4581] numerical-eq:pktsearch-req-1st-4b:0xFFF0FFF0:0x30303130:no [4582] string-match:pktsearch-rsp-text:001Windows folder:(fcase =no) [4583] string-match:pktsearch-rsp-text:00[01]User(fcase =no) [4584] string-match:pktsearch-rsp-text:00[01]Windows folder(fcase =no) [4585] numerical-eq:pktsearch-req-1st-4b:0xFFF0F000:0x30303000:no [4586] string-match:http-req-uri-path:cgi-bin-sdb/(fcase =yes) [4587] string-match:smtp-reply-message-header:a~\.`/bin/(fcase =no) [4588] string-match:http-get-req-uri-path:(/|\\)load_prefs\.php(fcase =yes) [4589] string-match:http-get-req-uri-query-param-name:^theme\[(fcase =yes) [4590] string-match:pktsearch-req-text:^DCIClient(fcase =no) [4591] string-match:pktsearch-rsp-text:^DCIServer(fcase =no) [4592] numerical-eq:h225-error-code:0xffffffff:DestinationChoiceAnomaly:no [4593] numerical-eq:pktsearch-udp-dst-port:0xffffffff:29891:no [4594] string-match:pktsearch-rsp-text:^The Unexplained\.\.\. v1\.0(fcase =no) [4595] string-match:pktsearch-rsp-text:^The Unexplained\.\.\. v(fcase =no) [4596] string-match:pktsearch-rsp-text:^The Unexplained\.\.\. 1\.0(fcase =no) [4597] string-match:ftp-retr-cmd-param:\.pwl(fcase =yes) [4598] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00p\x00r\x00i\x00n\x00t\x00s\x00t\x00a\x00t\x00e\x00m\x00e\x00n\x00t\x00s(fcase =yes) [4599] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00p\x00r\x00i\x00n\x00t\x00s\x00t\x00a\x00t\x00e\x00m\x00e\x00n\x00t\x00s(fcase =yes) [4600] unsigned-gt:tns-req-library-name-param-text-len:0xffffffff:200:no [4601] string-match:http-req-uri-path:(\\|/)phf$(fcase =no) [4602] string-match:http-req-uri-path:(\\|/)phf (fcase =no) [4603] string-match:http-req-uri-path:(\\|/)phf\r(fcase =no) [4604] string-match:pktsearch-rsp-text:^001Dossier Windows(fcase =no) [4605] string-match:pktsearch-req-text:^003(fcase =no) [4606] string-match:pktsearch-rsp-text:^000Start(fcase =no) [4607] string-match:http-req-uri-path:/ab2/(fcase =yes) [4608] string-match:http-req-uri-path:\\ab2\\(fcase =yes) [4609] string-match:http-req-uri-path:@AdminViewError(fcase =yes) [4610] string-match:http-req-uri-path:@AdminAddadmin(fcase =yes) [4611] string-match:http-req-uri-path:@AdminResetError(fcase =yes) [4612] string-match:http-req-uri-path:@AdminViewAccess(fcase =yes) [4613] string-match:http-req-uri-path:@Ab2Admin(fcase =yes) [4614] string-match:http-req-uri-path:/cfdocs/(fcase =yes) [4615] string-match:http-req-uri-path:/exampleapp(fcase =yes) [4616] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:10607:no [4617] string-match:pktsearch-req-text:^Hello(fcase =no) [4618] string-match:pktsearch-rsp-text:^COMA Server (fcase =no) [4619] string-match:rpc-call-data:\xf7\x48\xaf\xe6\xfb\x28\x23\xe6\xf7\x4c\xaf\xe6\xfb\x2c\xaf\xe0(fcase =no) [4620] string-match:rpc-call-data:\x22\x11\xff\xb0\x22\x12\xff\xac\x22\x0d\xfe\x98(fcase =no) [4621] string-match:pktsearch-req-text:\xf7\x48\xaf\xe6\xfb\x28\x23\xe6\xf7\x4c\xaf\xe6\xfb\x2c\xaf\xe0(fcase =no) [4622] string-match:http-req-uri-path:^(/)?servlet/oracle\.xml\.xsql\.XSQLServlet/xsql/lib/xsqlconfig\.xml(fcase =yes) [4623] string-match:http-req-uri-path:^(/)?servlet/oracle\.xml\.xsql\.XSQLServlet/soapdocs/webapps/soap/WEB-INF/config/soapConfig\.xml(fcase =yes) [4624] string-match:telnet-server-data-text:User Access Verification(fcase =no) [4625] string-match:telnet-client-data-text:enable$(fcase =no) [4626] string-match:telnet-server-data-text:cbos#(fcase =no) [4627] numerical-eq:netbios-ss-error-code:0xffffffff:NTTRANS_SETUPCOUNT_OVERFLOW:no [4628] string-match:lpr-receive-cmd-params:\x2f\x2fKARMAPOLICE(fcase =no) [4629] string-match:lpr-receive-control-file-content:cfA666owned(fcase =no) [4630] string-match:lpr-receive-data-file-content:mail\.cf(fcase =no) [4631] string-match:http-req-uri-path:wa\.exe$(fcase =no) [4632] numerical-eq:pktsearch-udp-dst-port:0xffffffff:692:no [4633] unsigned-gt:http-req-uri-length:0xffffffff:1000:no [4634] string-match:http-req-uri-path:imagemap\.exe$(fcase =yes) [4635] string-match:http-req-uri-path:demo/sql/jdbc/JDBCQuery\.jsp(fcase =no) [4636] string-match:http-req-uri-path:demo/sql/jdbc/UseHtmlQueryBean\.jsp(fcase =no) [4637] string-match:http-req-uri-path:demo/sql/sqlj/SQLJSelectInto\.sqljsp(fcase =no) [4638] string-match:http-req-uri-path:demo/sql/tag/sample2\.jsp(fcase =no) [4639] string-match:http-req-uri-path:xsql/java/xsql/demo/adhocsql/query\.xsql(fcase =no) [4640] string-match:http-req-uri-path:xsql/java/xsql/demo/adhocsql/sqltoxml\.html(fcase =no) [4641] string-match:http-req-uri-path:xsql/java/xsql/demo/insertxml/newsstorydemo\.html(fcase =no) [4642] string-match:http-req-uri-path:xsql/java/xsql/demo/uri/uridemo\.html(fcase =no) [4643] string-match:http-post-req-uri-path:\.php3(fcase =yes) [4644] string-match:http-post-req-content-type-header:multipart/form-data(fcase =no) [4645] string-match:http-post-req-header:($|%)n%(fcase =no) [4646] string-match:http-post-req-header:($|%)hn(fcase =no) [4647] string-match:http-req-uri-path:kmdstart\.htm(fcase =no) [4648] string-match:http-req-uri-query-params:client=kmd(fcase =no) [4649] string-match:http-get-req-uri-path:/scripts/cms(fcase =no) [4650] string-match:http-req-uri-path:\.asp(fcase =no) [4651] numerical-eq:snmp-msg-head-err-code:0xffffffff:3:no [4652] numerical-eq:snmp-version-err-code:0xffffffff:3:no [4653] numerical-eq:snmp-community-string-err-code:0xffffffff:3:no [4654] numerical-eq:snmp-pdu-head-err-code:0xffffffff:3:no [4655] numerical-eq:snmp-varbindlist-err-code:0xffffffff:3:no [4656] numerical-eq:snmp-varbind-err-code:0xffffffff:3:no [4657] numerical-eq:snmp-varbind-object-id-err-code:0xffffffff:3:no [4658] numerical-eq:snmp-varbind-value-err-code:0xffffffff:3:no [4659] string-match:pktsearch-mstream-c2h-req-text:(servers|stream|quit|help)(fcase =no) [4660] string-match:http-req-uri-path:crystalreportwebformviewer2(fcase =yes) [4661] string-match:http-req-uri-path:crystalimagehandler\.aspx(fcase =yes) [4662] string-match:http-req-uri-query-param-name:dynamicimage(fcase =yes) [4663] string-match:http-req-uri-query-param-value:\.\.(\\|/)(fcase =yes) [4664] numerical-eq:pktsearch-tcp-dst-port:0xffffffff:10101:no [4665] string-match:pktsearch-rsp-text:^#01#(fcase =no) [4666] string-match-ap:req-content-text:/announce?(fcase =no) [4667] string-match-ap:req-content-text:info_hash=(fcase =no) [4668] string-match-ap:req-content-text:peer_id=(fcase =no) [4669] string-match:http-req-uri-path:\.torrent(fcase =no) [4670] string-match:pktsearch-req-text:^activate(fcase =no) [4671] string-match:pktsearch-rsp-text: logged in\x2E\x2E\x2E(fcase =no) [4672] string-match:tds-mssql-client-query-payload:x\x00p\x00_\x00e\x00n\x00u\x00m\x00r\x00e\x00s\x00u\x00l\x00t\x00s\x00e\x00t(fcase =yes) [4673] string-match:netbios-ss-tds-client-query-payload:x\x00p\x00_\x00e\x00n\x00u\x00m\x00r\x00e\x00s\x00u\x00l\x00t\x00s\x00e\x00t(fcase =yes) [4674] unsigned-gt:snmp-msg-head-length-of-length:0xffffffff:2:no [4675] unsigned-gt:snmp-community-string-length-of-length:0xffffffff:2:no [4676] unsigned-gt:snmp-pdu-head-length-of-length:0xffffffff:2:no [4677] unsigned-gt:snmp-varbindlist-length-of-length:0xffffffff:2:no [4678] unsigned-gt:snmp-varbind-length-of-length:0xffffffff:2:no [4679] unsigned-gt:snmp-varbind-object-id-length-of-length:0xffffffff:2:no [4680] unsigned-gt:snmp-varbind-value-length-of-length:0xffffffff:2:no [4681] string-match:telnet-server-data-text:not on system console(fcase =yes) [4682] string-match:http-post-req-uri-path:/search(fcase =no) [4683] string-match:http-post-req-message-body:template=/(etc|var|home|usr)/(fcase =no) [4684] string-match:smtp-message-body:\nContent-Length: 99999999\n(fcase =no) [4685] string-match:smtp-message-body:Content-Length: \n(fcase =no) [4686] unsigned-gt:smtp-message-body-length:0xffffffff:2063:no [4687] numerical-eq:dcerpc-error-code:0xffffffff:INVALID_UUID:no [4688] unsigned-gt:dcerpc-req-Unknown-request-frag-length:0xffffffff:5000:no [4689] numerical-eq:dcerpc-response-packet-type:0xffffffff:3:no [4690] unsigned-gt:dcerpc-req-frag-length:0xffffffff:5000:no [4691] string-match:dcerpc-req-uuid-text:\x60\x9e\xe7\xb9\x52\x3d\xce\x11\xaa\xa1\x00\x00\x69\x01\x29\x3f(fcase =no) [4692] string-match:http-before-request-method:^YMSG(fcase =no) [4693] string-match:ftp-invalid-cmd-text:^YMSG(fcase =no) [4694] string-match:smtp-first-invalid-cmd-text:^YMSG(fcase =no) [4695] string-match:pktsearch-req-text:^YMSG(fcase =no) [4696] string-match:telnet-client-data-text:^YMSG(fcase =no) [4697] numerical-eq:pktsearch-ymsg-counter:0xffffffff:2:no [4698] string-match:http-req-host-header:http\.pager\.yahoo\.com(fcase =no) [4699] string-match:http-req-host-header:msg\.edit\.yahoo.com(fcase =no) [4700] string-match:http-req-host-header:msg\.yahoo\.com(fcase =no) [4701] string-match-ap:req-content-text:YMSG(\x00#F0\x00|\x00.)(fcase =no)(offset=0, depth=0) [4702] string-match-ap:rsp-content-text:YMSG(\x00#F0\x00|\x00.)(fcase =no)(offset=0, depth=0) [4703] string-match:http-req-message-body:^YMSG(\x00#F0\x00|\x00.)(fcase =no) [4704] string-match:http-post-req-uri-path:(\\|/)guestbook\.pl$(fcase =yes) [4705] string-match:http-post-req-message-body: